Data Protection and Digital Information Bill 


EXPLANATORY NOTES 
Explanatory notes to the Bill, prepared by the Department for Digital, Culture, Media and 
Sport, the Home Office, the Department for Business, Energy and Industrial Strategy, the Cab- 
inet Office and the Department of Health and Social Care, are published separately as Bill 
143-EN. 
EUROPEAN CONVENTION ON HUMAN RIGHTS 


Secretary Nadine Dorries has made the following statement under section 19(1)(a) of the 
Human Rights Act 1998: 


In my view the provisions of the Data Protection and Digital Information Bill are compatible 
with the Convention rights. 
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BILL 


Make provision for the regulation of the processing of information relating to 
identified or identifiable living individuals; to make provision about services 
consisting of the use of information to ascertain and verify facts about 
individuals; to make provision about access to customer data and business 
data; to make provision about privacy and electronic communications; to 
make provision about services for the provision of electronic signatures, 
electronic seals and other trust services; to make provision about the 
disclosure of information to improve public service delivery; to make 
provision for the implementation of agreements on sharing information for 
law enforcement purposes; to make provision about the keeping and 
maintenance of registers of births and deaths; to make provision about 
information standards for health and social care; to establish the Information 
Commission; to make provision about oversight of biometric data; and for 
connected purposes. 


E IT ENACTED by the Queen’s most Excellent Majesty, by and with the advice and 
consent of the Lords Spiritual and Temporal, and Commons, in this present 
Parliament assembled, and by the authority of the same, as follows: — 


PART 1 


DATA PROTECTION 
Definitions 


1 Information relating to an identifiable living individual 


(1) Insection 3 of the Data Protection Act 2018 (referred to in this Act as “the 2018 
Act”) (terms relating to the processing of personal data) — 
(a) in subsection (3) (definition of “identifiable living individual’), after 
paragraph (b) insert — 
“(and see section 3A for provision about when information 
relates to an identifiable living individual).”, and 
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(b) after that subsection insert — 


“(3A) An individual is identifiable from information “directly” if the 
individual can be identified without the use of additional 
information. 


(3B) Anindividual is identifiable from information “indirectly” if the 
individual can be identified only with the use of additional 
information.” 


(2) Inthe 2018 Act, after section 3 insert — 
“3A Information relating to an identifiable living individual 


(1) For the purposes of this Act, information being processed is 
information relating to an identifiable living individual only in cases 
described in subsections (2) and (3). 


(2) The first case is where the living individual is identifiable (as described 
in section 3(3)) by the controller or processor by reasonable means at 
the time of the processing. 


(3) The second case is where the controller or processor knows, or ought 
reasonably to know, that— 
(a) another person will, or is likely to, obtain the information as a 
result of the processing, and 
(b) the living individual will be, or is likely to be, identifiable (as 
described in section 3(3)) by that person by reasonable means at 
the time of the processing. 


(4) For the purposes of this section, an individual is identifiable by a 
person “by reasonable means” if the individual is identifiable by the 
person by any means that the person is reasonably likely to use. 


(5) For the purposes of subsection (4), whether a person is reasonably 
likely to use a means of identifying an individual is to be determined 
taking into account, among other things — 


(a) the time, effort and costs involved in identifying the individual 
by that means, and 
(b) the technology and other resources available to the person.” 


(3) In Article 4 of the UK GDPR (definitions) — 
(a) the existing text becomes paragraph 1, 
(b) in paragraph 1(1) (definition of “personal data”) — 
(i) for “identifiable natural person” (in both places it appears) 
substitute “identifiable living individual”, 
(ii) for “that natural person” substitute “the individual”, and 
(iii) at the end insert “(and see paragraph 2)”, 
(c) in paragraph 1, after point (1) insert— 


(1A) an individual is identifiable from information “directly” if the 
individual can be identified without the use of additional 
information; 


(1B) an individual is identifiable from information “indirectly” if 
the individual can be identified only with the use of 
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additional information;”, 
(d) in paragraph 1, for point (5) substitute — 


“(5) “pseudonymisation” means the processing of personal data in 
such a manner that it becomes information relating to a living 
individual who is only indirectly identifiable; but personal 
data is only pseudonymised if the additional information 
needed to identify the individual is kept separately and is 
subject to technical and organisational measures to ensure 
that the personal data is not information relating to an 
identified or directly identifiable living individual;”, and 


(e) at the end insert— 


“2. Section 3A of the 2018 Act (information relating to an identifiable 
living individual) applies for the purposes of this Regulation as it 
applies for the purposes of that Act (and, as so applied, the references 
in that section to section 3(3) of that Act are to be read as references to 
Article 4(1)(1) of this Regulation).” 


In consequence of the amendment made by subsection (3)(a), in section 6 of the 
2018 Act (meaning of “controller’”), for “4(7)” substitute “4(1)(7)”. 


Meaning of research and statistical purposes 


In Article 4 of the UK GDPR (definitions), after paragraph 2 (inserted by section 
1 of this Act) insert — 


“3. References in this Regulation to the processing of personal data for the 
purposes of scientific research (including references to processing for 
“scientific research purposes’) are references to processing for the purposes of 
any research that can reasonably be described as scientific, whether publicly or 
privately funded, including processing for the purposes of technological 
development or demonstration, fundamental research or applied research. 


4. But such references only include processing for the purposes of a study 
in the area of public health where the study is conducted in the public interest. 


5. References in this Regulation to the processing of personal data for the 
purposes of historical research (including references to processing for 
“historical research purposes”) include processing for the purposes of 
genealogical research. 


6. References in this Regulation to the processing of personal data for 
statistical purposes are references to processing for statistical surveys or for the 
production of statistical results where — 


(a) the information that results from the processing is aggregate data that 
is not personal data, and 


(b) neither that information, nor the personal data processed, is used in 
support of measures or decisions with respect to a particular 
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(1) 
(2) 


individual.” 


Consent to processing for the purposes of scientific research 
Article 4 of the UK GDPR (definitions) is amended as follows. 


In point (11) of paragraph 1(1) (definition of “consent”), at the end insert “(and 
see paragraphs 7 and 8 of this Article)”. 


After paragraph 6 (inserted by section 2 of this Act) insert — 


“7. A data subject’s consent is to be treated as falling within the definition of 
“consent” in point (11) of paragraph 1 if — 


(a) it does not fall within that definition because (and only because) the 
consent is given to the processing of personal data for the purposes of 
an area of scientific research, 


(b) atthe time the consent is sought, it is not possible to identify fully the 
purposes for which personal data is to be processed, 


(c) seeking consent in relation to the area of scientific research is 
consistent with generally recognised ethical standards relevant to the 
area of research, and 


(d) so far as the intended purposes of the processing allow, the data 
subject is given the opportunity to consent only to processing for part 
of the research. 


8. References in this Regulation to consent given for a specific purpose 
(however expressed) include consent described in paragraph 7.” 


Consent of data subject to law enforcement processing 
The 2018 Act is amended as follows. 
In section 33 (definitions), after subsection (1) insert — 


“(1A) “Consent” of the data subject to the processing of personal data means 
a freely given, specific, informed and unambiguous indication of the 
data subject’s wishes by which the data subject, by a statement or by a 
clear affirmative action, signifies agreement to the processing of the 
personal data (and see section 40A).” 


In section 34(2) (overview of Chapter 2 of Part 3), after paragraph (a) (but 
before the “and” at the end of that paragraph) insert — 


“(aa) section 40A makes provision about processing carried out in 
reliance on the consent of the data subject,”. 


After section 40 insert — 
“40A Conditions for consent 


(1) This section is about processing of personal data that is carried out in 
reliance on the consent of the data subject. 
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(2) 
(3) 


The controller must be able to demonstrate that the data subject 
consented to the processing. 


If the data subject’s consent is given in writing as part of a document 
which also concerns other matters, the request for consent must be 
made — 
(a) in a manner which clearly distinguishes the request from the 
other matters, 


(b) in an intelligible and easily accessible form, and 
(c) inclear and plain language. 


Any part of a document described in subsection (3) which constitutes 
an infringement of this Part is not binding. 


The data subject may withdraw the consent at any time (but the 
withdrawal of consent does not affect the lawfulness of processing in 
reliance on the consent before its withdrawal). 


Processing may only be carried out in reliance on consent if — 
(a) before the consent is given, the controller or processor informs 
the data subject of the right to withdraw it, and 
(b) itis as easy for the data subject to withdraw the consent as to 
give it. 


When assessing whether consent is freely given, account must be taken 
of, among other things, whether the provision of a service is conditional 
on consent to the processing of personal data that is not necessary for 
the provision of that service.” 


(5) In section 206 (index of defined expressions), in the Table, in the entry for 
“consent” — 


(a) 
(b) 
(c) 


after “consent” insert “(to processing of personal data)”, 
for “Part” substitute “Parts 3 and”, and 
for “section” substitute “sections 33, 40A and”. 


Data protection principles 


5 Lawfulness of processing 


(1) The UK GDPR is amended in accordance with subsections (2) to (5). 


(2) In Article 6(1) (lawful processing) — 


(a) 


(b) 


(c) 


in point (e) — 
(i) after “task” insert “of the controller”, and 
(ii) after “or” insert “‘a task carried out”, 
after that point insert — 


“(ea) processing is necessary for the purposes of a recognised 
legitimate interest;”, and 


in the words after point (f), for “Point (f)” substitute “Points (ea) and 


(f)”. 


(3) In Article 6(3) (basis for processing etc), in the second subparagraph — 


(a) 


after “task” insert “of the controller”, and 
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(b) after “interest or” insert “a task carried out”. 


In Article 6, at the end insert — 
“5. For the purposes of paragraph l1(ea), processing is necessary for the 


purposes of a recognised legitimate interest only if it meets a condition in 
Annex 1. 


6. The Secretary of State may by regulations amend Annex 1 by — 
(a) adding or varying provisions, or 
(b) omitting provisions added by regulations made under this 
paragraph. 


7. The Secretary of State may only make regulations under paragraph 6 
where the Secretary of State considers it appropriate to do so having regard to, 
among other things — 


(a) the interests and fundamental rights and freedoms of data subjects 
which require protection of personal data, and 


(b) where relevant, the need to provide children with special protection 
with regard to their personal data. 


8. Regulations under paragraph 6 are subject to the affirmative resolution 
procedure.” 


In Article 21(1) (right to object), after “point (e)” insert “, (ea)”. 
Schedule 1 inserts Annex 1 to the UK GDPR. 


In section 8 of the 2018 Act (lawfulness of processing: public interest etc) — 
(a) omit “the controller’s”, 
(b) at the end of paragraph (c), insert “or”, and 
(c) omit paragraph (e) and the “or” before it. 


The purpose limitation 
The UK GDPR is amended in accordance with subsections (2) to (5). 


In Article 5(1)(b) (purpose limitation) — 
(a) after “collected” insert “(whether from the data subject or otherwise)”, 
(b) after “further processed” insert “by or on behalf of a controller”, and 
(c) for the words “those purposes;” to “initial purposes” substitute “the 
purposes for which the controller collected the data”. 


In Article 5, at the end insert — 


“3. For the avoidance of doubt, processing is not lawful by virtue only of 
being processing in a manner that is compatible with the purposes for which 
the personal data was collected.” 


In Article 6 (lawfulness of processing), omit paragraph 4. 
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(5) 


After Article 8 insert — 


“Article 8A 


Purpose limitation: further processing 


1.‘ This Article is about the determination, for the purposes of Article 5(1)(b) 
(purpose limitation), of whether processing of personal data by or on behalf of 
a controller for a purpose (a “new purpose’) other than the purpose for which 
the controller collected the data (“the original purpose”) is processing in a 
manner compatible with the original purpose. 


2. In making the determination, a person must take into account, among 
other things — 
(a) any link between the original purpose and the new purpose; 


(e) 


the context in which the personal data was collected, including the 
relationship between the data subject and the controller; 


the nature of the personal data, including whether it is a special 
category of personal data (see Article 9) or personal data related to 
criminal convictions and offences (see Article 10); 


the possible consequences of the intended processing for data 
subjects; 


the existence of appropriate safeguards (for example, encryption or 
pseudonymisation). 


3. Processing of personal data for a new purpose is to be treated as 
processing in a manner compatible with the original purpose where — 


(a) 


(b) 


the data subject consents to the processing of personal data for the 
new purpose and the new purpose is specified, explicit and 
legitimate, 


the processing is carried out in accordance with Article 84B— 

(i) | for the purposes of scientific research or historical research, 

(ii) for the purposes of archiving in the public interest, or 

(iii) for statistical purposes, 

the processing is carried out for the purposes of ensuring that 
processing of personal data complies with Article 5(1) or 
demonstrating that it does so, 


the processing meets a condition in Annex 2, or 


the processing is necessary to safeguard an objective listed in Article 
23(1)(c) to (j) and is authorised by an enactment or rule of law. 
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4. | Where the controller collected the personal data based on Article 6(1)(a) 
(data subject’s consent), processing for a new purpose is only processing in a 
manner compatible with the original purpose if — 


(a) _ it falls within paragraph 3(a) or (c), or 


(b) it falls within paragraph 3(d) or (e) and the controller cannot be 
reasonably expected to obtain the data subject’s consent. 


5. The Secretary of State may by regulations amend Annex 2 by — 
(a) adding or varying provisions, or 


(b) omitting provisions added by regulations made under this 
paragraph. 


6. | The Secretary of State may only make regulations under paragraph 5 
adding a case to Annex 2 where the Secretary of State considers that processing 
in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j). 


7. Regulations under paragraph 5 may make provision identifying 
processing by any means, including by reference to the controller, the data 
subject, the personal data or the provision of Article 6(1) relied on for the 
purposes of the processing. 


8. Regulations under paragraph 5 are subject to the affirmative resolution 
procedure.” 


Schedule 2 inserts Annex 2 to the UK GDPR. 
The 2018 Act is amended in accordance with subsections (8) to (10). 


In section 36(1) (the second data protection principle) — 
(a) in paragraph (a), for “on any occasion” substitute “(whether from the 
data subject or otherwise)”, and 
(b) in paragraph (b) — 
(i) after “processed” insert “by or on behalf of a controller”, and 
(ii) for “it was collected” substitute “the controller collected it”. 


In section 87(1) (the second data protection principle) — 
(a) in paragraph (a), for “on any occasion” substitute “(whether from the 
data subject or otherwise)”, and 


(b) in paragraph (b) — 
(i) after “processed” insert “by or on behalf of a controller”, and 
(ii) for “it was collected” substitute “the controller collected it”. 


In Part 1 of Schedule 2 (adaptations and restrictions as described in Articles 
6(3) and 23(1)), in paragraph 1, omit sub-paragraph (b)(ii). 


Data subjects' rights 


Vexatious or excessive requests by data subjects 


The UK GDPR is amended in accordance with subsections (2) and (3). 
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In Article 12 (transparent information, communication and modalities for the 
exercise of rights of the data subject) — 


(a) in paragraph 2, at the end insert “(or refusal is allowed under Article 
12A)”, and 


(b) in paragraph 5, omit from “Where requests” to the end. 
After that Article insert — 
“Article 12A 
Vexatious or excessive requests 


1. Paragraph 2 applies where a request from a data subject under any of 
Articles 15 to 22 or 34 is vexatious or excessive. 


2. The controller may — 


(a) charge a reasonable fee for dealing with the request (see section 12 of 
the 2018 Act), or 


(b) refuse to act on the request. 


3. In any proceedings where there is an issue as to whether a request is 
vexatious or excessive, it is for the controller to show that it is. 


4. Whether a request is vexatious or excessive must be determined having 
regard to the circumstances of the request, including (so far as relevant) — 


(a) the nature of the request, 

(b) the relationship between the data subject and the controller, 

(c) the resources available to the controller, 

(d) the extent to which the request repeats a previous request made by 
the data subject to the controller, 


(e) how long ago any previous request was made, and 


(f) | whether the request overlaps with other requests made by the data 
subject to the controller. 


5. | Examples of requests that may be vexatious include requests that — 
(a) are intended to cause distress, 
(b) are not made in good faith, or 
(c) are an abuse of process.” 


The 2018 Act is amended in accordance with subsections (5) to (11). 


In section 12(1) (limits on fees that may be charged by controllers), in 
paragraph (a) — 
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(a) for “12(5)” substitute “12A”, and 
(b) for “manifestly unfounded” substitute “vexatious”. 
(6) In section 53 (manifestly unfounded or excessive requests by the data subject 
under Part 3) — 
(a) in the heading, for “Manifestly unfounded” substitute “Vexatious”, 
(b) at the beginning insert — 

“(A1) Subsection (1) applies where a request from a data subject 
under section 45, 46, 47 or 50 is vexatious or excessive (see 
section 204A).”, 

(c) insubsection (1), omit from the beginning to “excessive,”, 

(d) omit subsection (2), 

(e) in subsection (3), for “manifestly unfounded” substitute “vexatious”, 
(f) after subsection (4) insert — 

“(4A) The Secretary of State may by regulations — 

(a) require controllers of a description specified in the 
regulations to produce and publish guidance about the 
fees that they charge in accordance with subsection 
(1)(a), and 

(b) specify what the guidance must include.”, 

(g) in subsection (5), for “subsection (4)” substitute “this section”, and 
(h) after subsection (5) insert — 


“(6) If, in reliance on subsection (1)(b), the controller does not take 
action on the request, the controller must inform the data 
subject of — 


(a) the reasons for not doing so, and 


(b) the data subject’s right to lodge a complaint with the 
Commissioner. 


(7) The controller must comply with subsection (6) — 
(a) without undue delay, and 


(b) in any event, before the end of the applicable time 
period (as to which see section 54)”. 


(7) In section 54(1) (meaning of “applicable time period”), for “and 48(2)(b)” 
substitute “, 48(2)(b) and 53(7)”. 


(8) Insection 94 (data subject’s right of access under Part 4) — 


(a) 


(b) 
(c) 


“(11A) 


after subsection (2) insert — 


‘“(2A) A controller is not obliged to provide information under this 
section in response to a request that is vexatious or excessive 
(see section 204A).”, 

in subsection (10), for “subsection (6)” substitute “subsections (2A) to 
(6)”, and 


after subsection (11) insert — 
In any proceedings where there is an issue as to whether a 


request is vexatious or excessive, it is for the controller to show 
that it is.” 
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(9) Insection 95 (data subject’s right of access: supplementary), omit subsections 


(2) and (3). 
(10) After section 204 insert — 
“204A Vexatious or excessive 


(1) For the purposes of this Act, whether a request is vexatious or excessive 
must be determined having regard to the circumstances of the request, 
including (so far as relevant) — 

(a) the nature of the request, 

(b) the relationship between the person making the request (the 
“sender”) and the person receiving it (the “recipient”), 

(c) the resources available to the recipient, 

(d) the extent to which the request repeats a previous request made 
by the sender to the recipient, 

(e) how long ago any previous request was made, and 

(f) whether the request overlaps with other requests made by the 
sender to the recipient. 


(2) For the purposes of this Act, examples of requests that may be 
vexatious include requests that — 
(a) are intended to cause distress, 
(b) are not made in good faith, or 
(c) are an abuse of process.” 


(11) Insection 206 (index of defined expressions), in the Table, at the appropriate 
places insert — 


“excessive section 204A”; 
“vexatious section 204A”. 
8 Time limits for responding to requests by data subjects 


(1) The UK GDPR is amended in accordance with subsections (2) and (3). 


(2) In Article 12 (transparent information, communication and modalities for the 
exercise of rights of the data subject) — 

(a) in paragraph 3, for “within one month of receipt of the request” 
substitute “before the end of the applicable time period (see Article 
12B)”, 

(b) in paragraph 4, for “without delay and at the latest within one month 
of receipt of the request” substitute “without undue delay, and in any 
event before the end of the applicable time period (see Article 12B),”, 
and 

(c) in paragraph 6— 

(i) after “may” insert “— 


(a) ”,and 
(ii) at the end insert “, and 


(b) delay dealing with the request until the identity is 


10 


15 


20 


As) 


30 


35 


40 


12 


Data Protection and Digital Information Bill 
Part 1 — Data Protection 


confirmed.” 


After Article 12A (inserted by section 7 of this Act) insert — 


“Article 12B 
Meaning of “applicable time period” 


1. InArticle 12, “the applicable time period” means the period of one month 
beginning with the relevant time, subject to paragraph 3. 


2. “The relevant time” means the latest of the following — 
(a) when the controller receives the request in question; 


(b) when the controller receives the information (if any) requested in 
connection with a request under Article 12(6); 


(c) when the fee (if any) charged in connection with the request under 
Article 12A is paid. 


3. The controller may, by giving notice to the data subject, extend the 
applicable time period by two further months where that is necessary by 
reason of — 

(a) the complexity of requests made by the data subject, or 

(b) the number of such requests. 


4. | _Anotice under paragraph 3 must — 


(a) be given before the end of the period of one month beginning with the 
relevant time, and 


(b) state the reasons for the delay. 
5. Where the controller reasonably requires further information in order to 
identify the information or processing activities to which a request under 


Article 15 relates — 


(a) the controller may ask the data subject to provide the further 
information, and 


(b) the period beginning with the day on which the controller makes the 
request and ending with the day on which the controller receives the 
information does not count towards — 

(i) the applicable time period, or 
(ii) | the period described in paragraph 4(a). 


6. An example of a case in which a controller may reasonably require 
further information is where the controller processes a large amount of 
information concerning the data subject.” 
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(4) The 2018 Act is amended in accordance with subsections (5) to (7). 


(5) Insection 45(5) (right of access by the data subject), after “delay” insert “and in 
any event before the end of the applicable time period (as to which see section 
54)”. 

(6) In section 54 (meaning of “applicable time period” for responding to data 
subjects’ requests) — 

(a) insubsection (1), after “45(3)(b)” insert “and (5)”, 
(b) in subsection (2)— 
(i) for “1 month, or such longer period as may be specified in 
regulations,” substitute “one month”, and 
(ii) at the end insert “, subject to subsection (3A)”, and 
(c) after subsection (3) insert — 


“(3A) The controller may, by giving notice to the data subject, extend 
the applicable time period by two further months where that is 
necessary by reason of — 

(a) the complexity of requests made by the data subject, or 
(b) the number of such requests. 


(3B) A notice under subsection (3A) must— 
(a) be given before the end of the period of one month 
beginning with the relevant time, and 
(b) state the reasons for the delay. 


(3C) Where the controller reasonably requires further information in 
order to identify the information or processing activities to 
which a request under section 45(1) relates — 

(a) the controller may ask the data subject to provide the 
further information, and 
(b) the period beginning with the day on which the 
controller makes the request and ending with the day on 
which the controller receives the information does not 
count towards — 
(i) the applicable time period, or 
(ii) the period described in subsection (3B)(a). 


(3D) An example of a case in which a controller may reasonably 
require further information is where the controller processes a 
large amount of information concerning the data subject.”, and 


(d) omit subsections (4) to (6). 


(7) Insection 94 (right of access under Part 4) — 
(a) in subsection (14), for the definition of “the applicable time period” 
substitute — 

““the applicable time period” means the period of one 
month beginning with the relevant time, subject to 
subsection (14A);”, and 

(b) after subsection (14) insert — 


“(14A) The controller may, by giving notice to the data subject, extend 
the applicable time period by two further months where that is 
necessary by reason of — 

(a) the complexity of requests made by the data subject, or 
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(b) the number of such requests. 


(14B) A notice under subsection (14A) must — 
(a) be given before the end of the period of one month 
beginning with the relevant time, and 
(b) state the reasons for the delay.” 


9 Information to be provided to data subjects 


(1) In Article 13 of the UK GDPR (information to be provided where personal data 
is collected from the data subject) — 
(a) in paragraph 4, for “shall not apply where and insofar as” substitute 
“do not apply to the extent that”, and 
(b) at the end insert — 


“5. Paragraph 3 does not apply to the extent that — 
(a) the controller intends to further process the personal data— 


(i) | for (and only for) the purposes of scientific or historical 
research, the purposes of archiving in the public interest 
or statistical purposes, and 


(ii) in accordance with Article 84B, and 


(b) providing the information is impossible or would involve a 
disproportionate effort. 


6. For the purposes of paragraph 5(b), whether providing 
information would involve a disproportionate effort depends on, 
among other things, the number of data subjects, the age of the personal 
data and any appropriate safeguards applied to the processing.” 


(2) In Article 14 of the UK GDPR (information to be provided where personal data 

has not been obtained from the data subject) — 

(a) in paragraph 5— 
(i) for “shall not apply where and insofar as” substitute “do not 

apply to the extent that”, 
omit point (b), 
omit “or” at the end of point (c), 
in point (d), omit “where”, and 
after that point insert — 


“(e) providing the information is impossible or would 
involve a disproportionate effort, or 


(f) the obligation referred to in paragraph 1 is likely to 
render impossible or seriously impair the 
achievement of the objectives of the processing for 
which the personal data are intended.” 
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(b) 


at the end insert — 


“6. For the purposes of paragraph 5(e), whether providing 
information would involve a disproportionate effort depends on, 
among other things, the number of data subjects, the age of the personal 
data and any appropriate safeguards applied to the processing. 


7. A controller relying on paragraph 5(e) or (f) must take 
appropriate measures to protect the data subject’s rights, freedoms and 
legitimate interests, including by making the information available 
publicly.” 


10 Data subjects’ rights to information: legal professional privilege exemption 


(1) The 2018 Act is amended as follows. 


(2) In section 43 (overview and scope of Chapter 3 of Part 3: rights of the data 
subject in connection with law enforcement processing) — 


(a) 
(b) 


in subsection (1)(a), for “section 44” substitute “sections 44 and 45A”, 
in subsection (1)(b), for “section 45” substitute “sections 45 and 45A”. 


(3) For the italic heading before section 44 substitute — 


“Data subject's rights to information”. 


(4) Inthe heading of section 44, omit “Information:”. 


(5) Omit the italic heading before section 45. 


(6) After that section insert — 


“45A Exemption from sections 44 and 45: legal professional privilege 


(1) 


Sections 44(2) and 45(1) do not require the controller to give the data 
subject — 

(a) information in respect of which a claim to legal professional 
privilege or, in Scotland, confidentiality of communications 
could be maintained in legal proceedings, or 

(b) information in respect of which a duty of confidentiality is 
owed by a professional legal adviser to a client of the adviser. 


A controller relying on the exemption in subsection (1) must inform the 
data subject in writing without undue delay of — 
(a) the decision to rely on the exemption, 
(b) the reason for the decision, 
(c) the data subject’s right to make a request to the Commissioner 
under section 51, 
(d) the data subject’s right to lodge a complaint with the 
Commissioner under section 165, and 
(e) the data subject’s right to apply to a court under section 167. 


Subsection (2)(a) and (b) do not apply to the extent that complying with 
them would — 

(a) undermine a claim described in subsection (1)(a), or 

(b) conflict with a duty described in subsection (1)(b). 
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(4) The controller must — 
(a) record the reason for a decision to rely on the exemption in 
subsection (1), and 
(b) if requested to do so by the Commissioner, make the record 
available to the Commissioner. 


(5) The reference in subsection (1) to sections 44(2) and 45(1) includes 
sections 35 to 40 so far as their provisions correspond to the rights and 
obligations provided for in sections 44(2) and 45(1).” 


(7) Insection 51 (exercise of rights through the Commissioner) — 
(a) in subsection (1), after paragraph (b) (but before the “or” at the end of 
that paragraph) insert — 

“(ba) relies on the exemption from sections 44(2) and 45(1) in 
section 45A (legal professional privilege),”, 

(b) insubsection (2), after paragraph (a) insert — 

“(aa) where subsection (1)(ba) applies, request the 
Commissioner to check that the controller was entitled 
to rely on the exemption;”, 

(c) insubsection (4), after paragraph (a) insert — 

“(aa) where subsection (1)(ba) applies, whether the 
Commissioner is satisfied that the controller was 
entitled to rely on the exemption;”, and 

(d) insubsection (6), after “(a)” insert “, (aa)”. 


Automated decision-making 


11 Automated decision-making 


(1) For Article 22 of the UK GDPR (automated individual decision-making, 
including profiling) substitute — 


“Section 4A 


Automated individual decision-making 


Article 22A 
Automated processing and significant decisions 
1. For the purposes of Articles 22B and 22C — 


(a) a decision is based solely on automated processing if there is no 
meaningful human involvement in the taking of the decision, and 


b) a decision is a significant decision, in relation to a data subject, if — 
& J 
(i) it produces a legal effect for the data subject, or 
(ii) it has a similarly significant effect for the data subject. 


2: References in this Article and Articles 22B to 22D to a decision and to 
taking a decision include profiling and carrying out profiling. 
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Article 22B 
Restrictions on automated decision-making 
1. A significant decision based entirely or partly on special categories of 
personal data referred to in Article 9(1) may not be taken based solely on 


automated processing, unless one of the following conditions is met. 


2. The first condition is that the decision is based entirely on processing of 
personal data to which the data subject has given explicit consent. 


3. The second condition is that — 
(a) _ the decision is — 


(i) | necessary for entering into, or performing, a contract between 
the data subject and a controller, or 


(ii) | required or authorised by law, and 
(b) point (g) of Article 9(2) applies. 


4. A significant decision may not be taken based solely on automated 
processing if the processing of personal data carried out by, or on behalf of, the 
decision-maker for the purposes of the decision is carried out entirely or partly 
in reliance on Article 6(1)(ea). 


Article 22C 
Safeguards for automated decision-making 

1. Where a significant decision taken by or on behalf of a controller is— 

(a) based entirely or partly on personal data, and 

(b) based solely on automated processing, 
the controller must ensure that safeguards for the data subject’s rights, 
freedoms and legitimate interests are in place which comply with paragraph 2 
and any regulations under Article 22D(3). 


2. The safeguards must consist of or include measures which — 


(a) provide the data subject with information about decisions described 
in paragraph 1 taken in relation to the data subject; 


(b) enable the data subject to make representations about such decisions; 


(c) enable the data subject to obtain human intervention on the part of 
the controller in relation to such decisions; 


(d) enable the data subject to contest such decisions. 
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Article 22D 
Further provision about automated decision-making 


1.‘ The Secretary of State may by regulations provide that, for the purposes 
of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have 
a similarly significant effect for the data subject. 


2. Regulations under paragraph 1 may amend Article 22A. 
3. The Secretary of State may by regulations make further provision about 
the safeguards required under Article 22C(1), including provision about what 
is, or is not, to be taken to satisfy a requirement under Article 22C(1) or (2). 
4. Regulations under paragraph 3 may amend Article 22C— 

(a) by adding or varying safeguards, and 

(b) by omitting provision added by regulations under that paragraph. 


5. Regulations under this Article are subject to the affirmative resolution 
procedure.” 


— 
N 
wa 


The 2018 Act is amended in accordance with subsections (3) to (5). 


— 
wo 
wm 


For sections 49 and 50 (law enforcement processing: automated individual 
decision making) substitute — 


“50A Automated processing and significant decisions 


1) For the purposes of sections 50B and 50C — 
Purp. 

(a) adecision is based solely on automated processing if there is no 
meaningful human involvement in the taking of the decision, 
and 

(b) a decision is a significant decision, in relation to a data subject, 
if— 

(i) it produces an adverse legal effect for the data subject, or 
(ii) it has a similarly significant adverse effect for the data 
subject. 


(2) References in this section and sections 50B to 50D to a decision and to 
taking a decision include profiling and carrying out profiling. 
50B_ Restrictions on automated decision-making using sensitive personal 
data 


(1) A significant decision based entirely or partly on sensitive personal 
data may not be taken based solely on automated processing, unless 
one of the following conditions is met. 


(2) The first condition is that the decision is based entirely on processing of 
personal data to which the data subject has given explicit consent. 


(3) The second condition is that the decision is required or authorised by 
law. 
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50C Safeguards for automated decision-making 


(1) Subject to subsection (3), where a significant decision taken by or on 
behalf of a controller is— 
(a) based entirely or partly on personal data, and 
(b) based solely on automated processing, 


the controller must ensure that safeguards for the data subject’s rights, 
freedoms and legitimate interests are in place which comply with 
subsection (2) and any regulations under section 50D(3). 


(2) The safeguards must consist of or include measures which— 

(a) provide the data subject with information about decisions 
described in subsection (1) taken in relation to the data subject; 

(b) enable the data subject to make representations about such 
decisions; 

(c) enable the data subject to obtain human intervention on the part 
of the controller in relation to such decisions; 

(d) enable the data subject to contest such decisions. 


(3) Subsections (1) and (2) do not apply in relation to a significant decision 
if— 
(a) exemption from those provisions is required for a reason listed 
in subsection (4), and 
(b) the controller reconsiders the decision, as soon as reasonably 
practicable, in a manner that is not based solely on automated 
processing. 


(4) Those reasons are— 

(a) to avoid obstructing an official or legal inquiry, investigation or 
procedure; 

(b) to avoid prejudicing the prevention, detection, investigation or 
prosecution of criminal offences or the execution of criminal 
penalties; 

(c) to protect public security; 

(d) to safeguard national security; 

(e) to protect the rights and freedoms of others. 


50D Further provision about automated decision-making 


(1) TheSecretary of State may by regulations provide that, for the purposes 
of section 50A(1)(b) (ii), a description of decision is, or is not, to be taken 
to have a similarly significant adverse effect for the data subject. 


(2) Regulations under subsection (1) may amend section 50A. 


(3) The Secretary of State may by regulations make further provision about 
the safeguards required under section 50C(1), including provision 
about what is, or is not, to be taken to satisfy a requirement under 
section 50C(1) or (2). 

(4) Regulations under subsection (3) may amend section 50C — 

(a) by adding or varying safeguards, and 


(b) by omitting provision added by regulations under that 
subsection. 
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5) Regulations under this section are subject to the affirmative resolution 
8 
procedure.” 


(4) In section 96 (intelligence services processing: right not to be subject to 
automated decision-making) — 


(a) in subsection (1), for “solely on” substitute “on entirely”, 
(b) insubsection (3), after “section” insert “and section 97”, and 
(c) at the end insert— 


“(4) For the purposes of this section and section 97, a decision is 
based on entirely automated processing if the decision-making 
process does not include an opportunity for a human being to 
accept, reject or influence the decision.” 


(5) Insection 97 (intelligence services processing: right to intervene in automated 
decision-making) — 
(a) insubsection (1)(a), for “solely on” substitute “on entirely”, 
(b) in subsection (4)(b), for “solely on” substitute “on entirely”, and 
(c) omit subsection (6). 


(6) Schedule 3 contains amendments consequential on this section. 
Obligations of controllers and processors 


12 General obligations 
(1) The UK GDPR is amended in accordance with subsections (2) to (4). 


(2) In Article 24(1) (responsibility of the controller), for “appropriate technical and 
organisational measures” substitute “appropriate measures, including 
technical and organisational measures,”. 


(3) In Article 25 (data protection by design and by default) — 

(a) in paragraph 1, for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures”, and 

(b) in paragraph 2, for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures,”. 


(4) In Article 28 (processor) — 

(a) in paragraph 1, for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures”, 

(b) in paragraph 3(e), for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures”, and 

(c) in paragraph 4, for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures”. 


(5) The 2018 Act is amended in accordance with subsections (6) to (10). 


6) In section 55(3) (overview and scope of provisions about controllers and 
. . ieee . P 
processors), omit “technical and organisational”. 
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(7) Insection 56 (general obligations of the controller) — 


(a) in subsection (1), for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures,”, and 


(b) insubsection (3), omit “technical and organisational”. 


(8) Insection 57 (data protection by design and by default) — 


(a) in subsection (1), for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures,”, and 


(b) in subsection (3), for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures,”. 


(9) In section 59(2) (processors), for “appropriate technical and organisational 
measures” substitute “appropriate measures, including technical and 
organisational measures,”. 


(10) In section 103(2) (data protection by design), for “appropriate technical and 
organisational measures” substitute “appropriate measures, including 
technical and organisational measures,”. 


13. Removal of requirement for representatives for controllers etc outside the UK 


(1) Omit Article 27 of the UK GDPR (representatives of controllers or processors 
not established in the United Kingdom). 


(2) Inconsequence of that revocation, in the UK GDPR— 
(a) in Article 4, omit point (17) (definition of “representative’), 
(b) in Article 13(1)(a) (information to be provided where personal data is 
collected from the data subject), omit “and, where applicable, of the 
controller’s representative”, 


(c) in Article 14(1)(a) (information to be provided where personal data is 
not obtained from the data subject), omit “and, where applicable, of the 
controller’s representative”, 

(d) in Article 30 (records of processing activities) — 

(i) in paragraph 1, in the words before point (a), omit “and, where 
applicable, the controller’s representative,”, 

(ii) in paragraph 1(a), omit “, the controller’s representative”, 

(iii) in paragraph 2, in the words before point (a), omit “and, where 
applicable, the processor’s representative”, 

(iv) in paragraph 2(a), for “, and, where applicable, of the 
controller’s or the processor’s representative, and” substitute 
“and of”, and 

(v) in paragraph 4, omit “and, where applicable, the controller’s or 
the processor’s representative,”, 

(e) in Article 31 (cooperation with the Commissioner), omit “and, where 
applicable, their representatives,” and 


(f) in Article 58(1)(a) (Commissioner’s powers), omit “, and, where 
applicable, the controller’s or the processor’s representative”. 


3) Inconsequence of that revocation, in the 2018 Act— 
q 
(a) insection 142 (information notices), omit subsection (9), 
(b) insection 143 (information notices: restrictions), omit subsection (9), 
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(c) in section 181 (interpretation of Part 6), omit the definition of 
“representative”, 


(d) in section 206 (index of defined expressions), in the Table, omit the 
entry for “representative (in Part 6)”, and 


(e) in paragraph 41 of Schedule 1 (additional safeguards for processing of 
special categories of personal data etc: record of processing), omit “, or 
the controller’s representative”. 


14 ~=Senior responsible individual 
(1) The UK GDPR is amended in accordance with subsections (2) and (3) 
(2) Before Article 28 insert — 


“Section 1A 


Senior responsible individual 


Article 27A 
Designation of senior responsible individual 


1.‘ This Article and Articles 27B and 27C apply to a controller or processor 
that — 


(a) isa public body, or 


(b) carries out processing of personal data which, taking into account the 
nature, scope, context and purposes of the processing, is likely to 
result in a high risk to the rights and freedoms of individuals, 


other than a court or tribunal acting in its judicial capacity. 


2. The controller or processor must designate one individual to be its senior 
responsible individual, subject to paragraph 3(b). 


3. | Where the controller or processor is an organisation — 


(a) a designated individual must be part of the organisation’s senior 
management, and 


(b) the controller or processor may designate two or more individuals to 
act jointly as its senior responsible individual where the individuals 
are employed part-time and share a single role within the 
organisation’s senior management. 


4. The controller or processor must — 


(a) ensure that the current contact details of the senior responsible 
individual are publicly available, and 


(b) send those details to the Commissioner. 


5. In this Article, “senior management”, in relation to an organisation, 
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means the individuals who play significant roles in the making of decisions 
about how the whole or a substantial part of its activities are to be managed or 


organised. 
Article 27B 
Senior responsible individual’s tasks 
1. The senior responsible individual designated by a controller must be 


responsible at least for performing the tasks listed in paragraph 2 or securing 
that they are performed by another person. 


2. Those tasks are— 


(a) 


(b) 


monitoring compliance by the controller with the data protection 
legislation; 


ensuring that the controller develops, implements, reviews and 
updates measures to ensure its compliance with the data protection 
legislation; 

informing and advising the controller, any processor engaged by the 
controller and employees of the controller who carry out processing 


of personal data of their obligations under the data protection 
legislation; 


organising training for employees of the controller who carry out 
processing of personal data; 


dealing with complaints made to the controller in connection with the 
processing of personal data; 


dealing with personal data breaches; 
co-operating with the Commissioner on behalf of the controller; 


acting as the contact point for the Commissioner on issues relating to 
processing of personal data. 


3. The senior responsible individual designated by a processor must be 
responsible at least for performing the tasks listed in paragraph 4 or securing 
that they are performed by another person. 


4. Those tasks are— 


(a) 
(b) 


monitoring compliance by the processor with Articles 28, 30A and 32; 
co-operating with the Commissioner on behalf of the processor; 


acting as the contact point for the Commissioner on issues relating to 
processing of personal data. 


5. | Where the performance of one of its tasks would result in a conflict of 
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interests, the senior responsible individual must secure that the task is 
performed by another person. 


6. In deciding whether one or more of their tasks should be performed by 
another person (whether alone or jointly with others) and, if so, by whom, the 
senior responsible individual must consider, among other things — 


(a) the other person’s professional qualifications and knowledge of the 
data protection legislation, 


(b) the resources likely to be available to the other person to carry out the 
task, and 


(c) whether the other person is involved in day-to-day processing of 
personal data for the controller or processor and, if so, whether that 
affects the person’s ability to perform the task. 


Article 27C 
Senior responsible individual’s position 


1. Acontroller or processor must support its senior responsible individual 
in the performance of the individual’s tasks, including by providing the 
individual with appropriate resources. 


2. A controller or processor must not dismiss or penalise its senior 
responsible individual for performing the individual’s tasks. 


3. | Where the senior responsible individual decides that one or more of its 
tasks should be performed by another person, the controller or processor must 
ensure that the person — 


(a) has appropriate resources to perform the task, 


(b) is not dismissed or penalised by the controller or processor for 
performing the task, and 


(c) does not receive instructions about the performance of the task. 


4. Paragraph 3(c) does not require the controller or processor to prevent 
instructions being given by the senior responsible individual or another person 
performing a task for the senior responsible individual, except where such 
instructions would involve a conflict of interests. 


Section 1B 
Processor etc’’. 


Omit Articles 37 to 39 (designation, position and tasks of data protection 
officer) and the section heading before Article 37. 


The 2018 Act is amended in accordance with subsections (5) and (6). 
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(5) After section 58 insert — 


“Senior responsible individual 


58A Designation of senior responsible individual 


(1) 


(2) 


This section and sections 58B and 58C apply to all controllers and 
processors other than a court, or other judicial authority, acting in its 
judicial capacity. 


The controller or processor must designate one individual to be its 
senior responsible individual. 


Where the controller or processor is an organisation — 
(a) a designated individual must be part of the organisation’s 
senior management, and 
(b) the controller or processor may designate two or more 
individuals to act jointly as its senior responsible individual 
where the individuals are employed part-time and share a 
single role within the organisation’s senior management. 


The controller or processor must — 
(a) ensure that the current contact details of the senior responsible 
individual are publicly available, and 
(b) send those details to the Commissioner. 


In this section, “senior management”, in relation to an organisation, 
means the individuals who play significant roles in the making of 
decisions about how the whole or a substantial part of its activities are 
to be managed or organised. 


58B_ Tasks of the senior responsible individual 


(1) 


(2) 


The senior responsible individual designated by a controller must be 
responsible at least for performing the tasks listed in subsection (2) or 
securing that they are performed by another person. 


Those tasks are — 

(a) monitoring compliance by the controller with the data 
protection legislation; 

(b) ensuring that the controller develops, implements, reviews and 
updates measures to ensure its compliance with the data 
protection legislation; 

(c) informing and advising the controller, any processor engaged 
by the controller and employees of the controller who carry out 
processing of personal data of their obligations under the data 
protection legislation; 

(d) organising training for employees of the controller who carry 
out processing of personal data; 

(e) dealing with complaints made to the controller in connection 
with the processing of personal data; 

(f) dealing with personal data breaches; 

(g) co-operating with the Commissioner on behalf of the controller; 

(h) acting as the contact point for the Commissioner on issues 
relating to processing of personal data. 
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The senior responsible individual designated by a processor must be 
responsible at least for performing the tasks listed in subsection (4) or 
securing that they are performed by another person. 


Those tasks are— 


(a) monitoring compliance by the processor with sections 59, 61A 
and 66; 


(b) co-operating with the Commissioner on behalf of the processor; 


(c) acting as the contact point for the Commissioner on issues 
relating to processing of personal data. 


Where the performance of one of its tasks would result in a conflict of 
interests, the senior responsible individual must secure that the task is 
performed by another person. 


In deciding whether one or more of their tasks should be performed by 
another person (whether alone or jointly with others), and, if so, by 
whom, the senior responsible individual must consider, among other 
things — 
(a) the other person’s professional qualifications and knowledge of 
the data protection legislation, 
(b) the resources likely to be available to the other person to carry 
out the task, and 
(c) whether the other person is involved in day-to-day processing 
of personal data for the controller or processor and, if so, 
whether that affects the person’s ability to perform the task. 


58C Senior responsible individual’s position 


(1) 


(2) 


A controller or processor must support its senior responsible 
individual in the performance of the individual’s tasks, including by 
providing the individual with appropriate resources. 


A controller or processor must not dismiss or penalise its senior 
responsible individual for performing the individual’s tasks. 


Where its senior responsible individual decides that one or more of its 
tasks should be performed by another person, the controller or 
processor must ensure that the person — 
(a) has appropriate resources to perform the task, 
(b) is not dismissed or penalised by the controller or processor for 
performing the task, and 
(c) does not receive instructions about the performance of the task. 


Subsection (3)(c) does not require the controller or processor to prevent 
instructions being given by the senior responsible individual or another 
person performing a task for the senior responsible individual, except 
where such instructions would involve a conflict of interests. 


Processor etc”. 


(6) Omit sections 69 to 71 (designation, position and tasks of data protection 
officer) and the italic heading before section 69. 
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15 Duty to keep records 
(1) The UK GDPR is amended in accordance with subsections (2) to (4). 
(2) Before Article 30 insert — 
“Section 1C 
Records and co-operation with the Commissioner”. 
(3) Omit Article 30 (records of processing activities). 
(4) After that Article insert — 
“Article 30A 
Records of processing of personal data 
1. Each controller must maintain appropriate records of processing of 
personal data carried out by or on behalf of the controller. 
2. The controller’s records must include at least the following information 


about the personal data in respect of which the controller is for the time being 


a controller — 


(a) where the personal data is (including information about any personal 


data that is outside the United Kingdom), 


(b) the purposes for which the controller is processing the personal data, 


(c) who the controller has shared, or intends to share, the personal data 
with (including recipients who are in third countries or international 


organisations), 


(d) how long the controller intends to retain the personal data, 


(e) whether the personal data includes special categories of personal 


data referred to in Article 9(1) and, if so, which categories, and 


(f) | whether the personal data includes personal data relating to criminal 
convictions and offences or related security measures referred to in 


Article 10(1) and, if so, which types of such data. 


3. Where possible, the controller’s records must include information about 


how it ensures that personal data is secure. 


4. Each processor must maintain appropriate records of its processing of 


personal data. 


5. The processor’s records must include at least the following information 


about the personal data in respect of which it is for the time being a processor — 


(a) the name and contact details of each controller on behalf of which the 


processor is acting, and 
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(b) where the personal data is (including information about any personal 
data that is outside the United Kingdom). 


6. | Where possible, the processor’s records must include information about 
how it ensures that personal data is secure. 


7.  Acontroller or processor must make the records maintained under this 
Article available to the Commissioner on request. 


8. In deciding what is appropriate for the purposes of this Article, a 
controller or processor must take into account, among other things — 


(a) the nature, scope, context and purposes of processing carried out by 
or on behalf of the controller or by the processor, 


(b) the risks for the rights and freedoms of individuals arising from that 
processing, including the likelihood of risks arising and _ their 
severity, and 


(c) the resources available to the controller or processor. 


9. Paragraphs 1 to 6 do not apply to a controller or processor that employs 
fewer than 250 individuals unless the controller or processor carries out 
processing that is likely to result in a high risk to the rights and freedoms of 
data subjects.” 


The 2018 Act is amended in accordance with subsections (7) to (9). 
In section 42 (safeguards: sensitive processing), omit subsection (4). 


Before section 61 insert— 


“Records and co-operation with the Commissioner ”. 
Omit section 61 (records of processing activities). 
After that section insert — 
“61A Records of processing of personal data 


(1) Each controller must maintain appropriate records of processing of 
personal data carried out by or on behalf of the controller. 


(2) Thecontroller’s records must include at least the following information 
about the personal data in respect of which the controller is for the time 
being a controller — 

(a) where the personal data is (including information about any 
personal data that is outside the United Kingdom), 

(b) the purposes for which the controller is processing the personal 
data, 

(c) who the controller has shared, or intends to share, the personal 
data with (including recipients who are in third countries or 
international organisations), 

(d) how long the controller intends to retain the personal data, and 
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(e) whether the personal data includes personal data described in 
section 35(8) and, if so, which types of such data. 


Where possible, the controller’s records must include information 
about how it ensures that personal data is secure. 


Each processor must maintain appropriate records of its processing of 
personal data. 


The processor’s records must include at least the following information 
about the personal data in respect of which it is for the time being a 
processor — 
(a) the name and contact details of each controller on behalf of 
which the processor is acting, and 
(b) where the personal data is (including information about any 
personal data that is outside the United Kingdom). 


Where possible, the processor’s records must include information 
about how it ensures that personal data is secure. 


A controller or processor must make the records maintained under this 
section available to the Commissioner on request. 


In deciding what is appropriate for the purposes of this section, a 
controller or processor must take into account, among other things — 

(a) the nature, scope, context and purposes of processing carried 
out by or on behalf of the controller or by the processor, 

(b) the risks for the rights and freedoms of individuals arising from 
that processing, including the likelihood of risks arising and 
their severity, and 

(c) the resources available to the controller or processor.” 


16 Logging of law enforcement processing 


In section 62 of the 2018 Act (logging of law enforcement processing) — 


(a) 
(b) 


in subsection (2)(a), omit “justification for, and”, and 
in subsection (3)(a), omit “justification for, and”. 


17 Assessment of high risk processing 


(1) The UK GDPR is amended in accordance with subsections (2) and (3). 


(2) In the heading of Section 3 of Chapter 4, for “Data protection impact 
assessment” substitute “Assessment of high risk processing”. 


(3) In Article 35 (data protection impact assessment) — 


(a) 
(b 


) 
(c) 
) 


for the heading substitute “Assessment of high risk processing”, 

in paragraph 1, for “natural persons” substitute “individuals”, 

omit paragraphs 2 and 3, 

in paragraph 4, for “a data protection impact assessment” substitute 
“an assessment”, 


in paragraph 5, for “data protection impact assessment” substitute 
“assessment pursuant to paragraph 1”, 
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(f) for paragraph 7 substitute — 


“7. The controller must produce a document recording compliance 
with this Article which includes at least — 


(a) asummary of the purposes of the processing, 


(b) an assessment of whether the processing is necessary for 
those purposes, 


(c) an assessment of the risks to individuals referred to in 
paragraph 1, and 


(d) adescription of how the controller proposes to mitigate those 
risks.”, 


(g) in paragraph 8, for “, in particular for the purposes of a data protection 
impact assessment” substitute “for the purposes of an assessment 
required by paragraph 1”, 

(h) omit paragraph 9, 

(i) in paragraph 10— 

(i) for “a data protection impact assessment” substitute “an 
assessment of the envisaged processing operations on the 
protection of personal data”, and 


(ii) omit “for the processing”, and 
(j) in paragraph 11— 
(i) omit “Where necessary,”, and 


(ii) for “to assess if processing is performed in accordance with the 
data protection impact assessment” substitute “of an 
assessment pursuant to paragraph 1 where necessary and”. 


(4) The 2018 Act is amended in accordance with subsections (5) and (6). 


(5) Before section 64 insert — 


“Risk assessment and prior consultation”. 


6) Insection 64 (data protection impact assessment) — 
P ies 
(a) for the heading substitute “Assessment of high risk processing”, 


(b) in subsection (1), for “a data protection impact assessment” substitute 
“an assessment of the impact of the envisaged processing operations on 
the protection of personal data”, 


(c) omit subsection (2), and 
(d) for subsection (3) substitute — 


“(3) The controller must produce a document recording compliance 
with this section which includes at least — 


(a) asummary of the purposes of the processing, 

(b) anassessment of whether the processing is necessary for 
those purposes, 

(c) anassessment of the risks to the rights and freedoms of 
individuals referred to in subsection (1), and 
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(d) a description of how the controller proposes to mitigate 
those risks.” 


18 Consulting the Commissioner prior to processing 


(1) Article 36 of the UK GDPR (prior consultation) is amended in accordance with 
subsections (2) and (3). 


(2) In paragraph 1— 
(a) for “shall” substitute “may”, and 
(b) for “a data protection impact assessment” substitute “an assessment”. 


(3) In paragraph 3— 
(a) in point (d), for “data protection officer” substitute “senior responsible 
individual”, and 
(b) in point (e) omit “data protection impact”. 
(4) Section 65 of the 2018 Act (prior consultation) is amended in accordance with 
subsections (5) and (6). 


(5) In subsection (2)— 
(a) for “must” substitute “may”, and 
(b) for “a data protection impact assessment under section 64 indicates that 
the processing would” substitute “it considers that the processing 
would or may”. 


(6) Insubsection (3) — 
(a) for “is required to consult” substitute “consults”, 
(b) omit paragraph (a) (and the “and” after it), and 
(c) in paragraph (b), omit “other”. 


19 Law enforcement processing and codes of conduct 


(1) The 2018 Act is amended as follows. 


(2) In section 55(1) (overview and scope of provisions about controllers and 
processors), at the end insert — 


‘“(e) makes provision about codes of conduct (see section 68A).” 
3) Insection 56 (general obligations of the controller), at the end insert — 
8 8 


“(4) Adherence to a code of conduct approved under section 68A may be 
used by a controller as a means of demonstrating compliance with the 
requirements of this Part.” 


(4) Insection 59 (processors), after subsection (7) insert — 


“(7A) Adherence to a code of conduct approved under section 68A may be 
used by a processor as a means of demonstrating sufficient guarantees 
as described in subsection (2).” 


(5) Insection 66 (security of processing), at the end insert — 


“(3) Adherence to a code of conduct approved under section 68A may be 
used by a controller or processor as a means of demonstrating 
compliance with subsection (1).” 
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(6) After section 68 insert — 


“Codes of conduct 


68A Codes of conduct 


(1) 
(2) 


(7) 


The Commissioner must encourage expert public bodies to produce 
codes of conduct intended to contribute to compliance with this Part. 


Under subsection (1), the Commissioner must, among other things, 
encourage the production of codes which take account of the specific 
features of the various processing sectors. 


For the purposes of this section— 
(a) “public body” means a body or other person whose functions 
are, or include, functions of a public nature, and 
(b) a public body is “expert” if, in the Commissioner’s opinion, the 
body has the knowledge and experience needed to produce a 
code of conduct described in subsection (1). 


A code of conduct described in subsection (1) may, for example, make 

provision with regard to— 

(a) lawful and fair processing; 

) the collection of personal data; 

(c) the information provided to the public and to data subjects; 

(d) the exercise of the rights of data subjects; 

(e) the measures and procedures referred to in sections 56, 57 and 

62; 

(f) the notification of personal data breaches to the Commissioner 
and the communication of personal data breaches to data 
subjects; 

(g) the transfer of personal data to third countries or international 
organisations; 

(h) out-of-court proceedings and other dispute resolution 
procedures for resolving disputes between controllers and data 
subjects with regard to processing. 


Where an expert public body prepares a code of conduct described in 
subsection (1), it must submit the code to the Commissioner in draft. 


Where an expert public body submits a draft code to the Commissioner 
under this section, the Commissioner must — 
(a) provide the body with an opinion on whether the draft code 
correctly reflects the requirements of this Part, 
(b) decide whether to approve the code, and 
(c) if the code is approved, register and publish the code. 


Subsections (5) and (6) apply in relation to amendments of a code of 
conduct described in subsection (1) as they apply in relation to such a 
code.” 


20 Obligations of controllers and processors: consequential amendments 


Schedule 4 contains amendments consequential on this group of sections. 
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International transfers of personal data 


Transfers of personal data to third countries and international organisations 


(1) Schedule 5 amends Chapter 5 of the UK GDPR (general processing and 
transfers of personal data to third countries and international organisations). 


(2) Schedule 6 amends Chapter 5 of Part 3 of the 2018 Act (law enforcement 
processing and transfers of personal data to third countries and international 
organisations). 


(3) Schedule 7 contains consequential and transitional provision. 
Safeguards for processing for research etc purposes 


Safeguards for processing for research etc purposes 
(1) The UK GDPR is amended in accordance with subsections (2) to (4). 
(2) After Chapter 8 insert — 


“CHAPTER 8A 


Safeguards for processing for research, archiving or statistical purposes 


Article 84A 
Research, archives and statistics 
1. This Chapter makes provision about the processing of personal data — 
(a) for the purposes of scientific research or historical research, 
(b) for the purposes of archiving in the public interest, or 
(c) for statistical purposes. 


2. Those purposes are referred to in this Chapter as “RAS purposes”. 


Article 84B 
Additional requirements when processing for RAS purposes 


1. Processing of personal data for RAS purposes must be carried out subject 
to appropriate safeguards for the rights and freedoms of the data subject. 


2. Processing of personal data for RAS purposes must be carried out in a 
manner which does not permit the identification of a living individual. 


3. Paragraph 2 does not apply — 


(a) to the collection of personal data (whether from the data subject or 
otherwise), or 
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(b) to cases in which the RAS purposes cannot be fulfilled by further 
processing in the manner described in that paragraph. 


4. For the purposes of paragraph 2, processing permits the identification of 
a living individual only in cases described in section 3A(2) and (3) of the 2018 
Act (information relating to an identifiable living individual). 


Article 84C 
Appropriate safeguards 


1.‘ This Article makes provision about when the requirement under Article 
84B(1) for processing to be carried out subject to appropriate safeguards is 
satisfied. 


2. The requirement is not satisfied if the processing is likely to cause 
substantial damage or substantial distress to a data subject. 


3. The requirement is not satisfied if the processing is carried out for the 
purposes of measures or decisions with respect to a particular data subject, 
except where the purposes for which the processing is carried out include the 
purposes of approved medical research. 


4. The requirement is only satisfied if the safeguards include technical and 
organisational measures for the purpose of ensuring respect for the principle 
of data minimisation (see Article 5(1)(c)), such as, for example, 
pseudonymisation. 


5, In this Article — 


“approved medical research” means medical research carried out by a person 
who has approval to carry out that research from — 


(a) aresearch ethics committee recognised or established by the Health 
Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or 


(b) abody appointed by any of the following for the purpose of assessing 
the ethics of research involving individuals — 


(i) the Secretary of State, the Scottish Ministers, the Welsh 
Ministers or a Northern Ireland department; 


(ii) arelevant NHS body; 


(iii) United Kingdom Research and Innovation or a body that is a 
Research Council for the purposes of the Science and 
Technology Act 1965; 


(iv) an institution that is a research institution for the purposes of 
Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) 
Act 2003 (see section 457 of that Act); 


“relevant NHS body” means — 
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23 
(1) 


(a) an NHS trust or NHS foundation trust in England, 
(b) anNHsS trust or Local Health Board in Wales, 


(c) aHealth Board or Special Health Board constituted under section 2 of 
the National Health Service (Scotland) Act 1978, 


(d) the Common Services Agency for the Scottish Health Service, or 


(e) any of the health and social care bodies in Northern Ireland falling 
within paragraphs (b) to (e) of section 1(5) of the Health and Social 
Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)). 


Article 84D 
Appropriate safeguards: further provision 


1.‘ The Secretary of State may by regulations make further provision about 
when the requirement for appropriate safeguards under Article 84B(1) is 
satisfied. 


2. The power under this Article includes power to amend Article 84C by 
adding, varying or omitting provision, except that it does not include power — 


(a) to vary or omit paragraph 1 of that Article, or 
(b) to omit any of paragraphs 2 to 4 of that Article. 


3. Regulations under this Article are subject to the affirmative resolution 
procedure.” 


In the heading of Chapter 9, after “relating to” insert “other”. 


Omit Article 89 (safeguards and derogations relating to processing for 
archiving purposes in the public interest, scientific or historical research 
purposes or statistical purposes). 


The 2018 Act is amended in accordance with subsections (6) and (7). 


Omit section 19 (processing for archiving, research and statistical purposes: 
safeguards) and the italic heading before it. 


In section 41(1) (safeguards: archiving), for “necessary” substitute “carried 
out”. 


Section 22: consequential provision 


In the UK GDPR— 


(a) in Article 5(1)(e) (storage limitation), for “Article 89(1)” to “data subject” 
substitute “Article 84B”, 

(b) in Article 9(2)(j) (processing of special categories of personal data), for 
“in accordance with Article 89(1) (as supplemented by section 19 of the 
2018 Act)” substitute “, is carried out in accordance with Article 84B and 
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(c) in Article 17(3)(d) (right to erasure), for “Article 89(1)” substitute 
“Article 84B”, and 


(d) in Article 21(6) (right to object), omit “pursuant to Article 89(1)”. 


(2) Inthe 2018 Act— 

(a) in paragraph 4(b) of Schedule 1 (special categories of personal data and 
criminal convictions etc data: research etc), for “Article 89(1) of the UK 
GDPR (as supplemented by section 19)” substitute “Article 84B of the 
UK GDPR”, and 

(b) inSchedule 2 (exemptions etc from the UK GDPR) — 

(i) in paragraph 27(3)(a) (research and statistics), for “Article 89(1) 
of the UK GDPR (as supplemented by section 19)” substitute 
“Article 84B of the UK GDPR”, and 

(ii) in paragraph 28(3) (archiving), for “Article 89(1) of the UK 
GDPR (as supplemented by section 19)” substitute “Article 84B 
of the UK GDPR”. 


(3) Insection 279(2) of the Mental Health (Care and Treatment) (Scotland) Act 2003 
(asp 13) (information for research), for “Article 89(1) of the UK GDPR 
(archiving in the public interest, scientific or historical research and statistics)” 
substitute “Article 84A of the UK GDPR (research, archives and statistics)”. 


National security 


24 National security exemption 
(1) The 2018 Act is amended as follows. 


(2) In section 26(2)(f) (national security and defence exemption), before sub- 
paragraph (i) insert — 
“(zi) Article 77 (right to lodge a complaint with the 
Commissioner);”. 


(3) In section 44 (controller’s general duties to provide information to data 
subject) — 
(a) in subsection (4), omit paragraph (d) (grounds for restricting 
information provided: national security), 
(b) insubsection (5), after “restricted” insert “under subsection (4)”, and 


(c) in subsection (7)(a), after “subsection (2)” insert “in reliance on 
subsection (4)”. 


(4) Insection 45 (right of access by the data subject) — 
(a) in subsection (4), omit paragraph (d) (grounds for restricting 
information provided: national security), 
(b) insubsection (5), after “restricted” insert “under subsection (4)”, and 
(c) in subsection (7)(a), after “subsection (1)” insert “in reliance on 
subsection (4)”. 


(5) In section 48 (requests by data subject for rectification or erasure of personal 
data) — 
(a) in subsection (3), omit paragraph (d) (grounds for restricting 
information provided: national security), 
(b) insubsection (4)— 
(i) for “(1)” substitute “(1)(b)(i)”, and 


10 


15 


20 


2 


30 


35 


40 


45 


Data Protection and Digital Information Bill 37 
Part 1 — Data Protection 


(ii) after “restricted” insert “under subsection (3)”, and 
(c) in subsection (6)(a), after “subsection (1)(b)(i)” insert “in reliance on 
subsection (3)”. 


6) In section 68(7) (communication of a personal data breach to the data subject: 
P J 
grounds for restricting information provided), omit paragraph (d) (national 
security). 


(7) In Chapter 6 of Part 3 (law enforcement processing: supplementary), before 
section 79 insert — 


“78A National security exemption 


(1) A provision mentioned in subsection (2) does not apply to personal 
data processed for law enforcement purposes if exemption from the 
provision is required for the purposes of safeguarding national 
security. 


(2) The provisions are — 
(a) Chapter 2 of this Part (principles), except for the provisions 
listed in subsection (3); 
(b) Chapter 3 of this Part (rights of the data subject); 
(c) in Chapter 4 of this Part— 
(i) section 67 (notification of personal data breach to the 
Commissioner); 
(ii) section 68 (communication of personal data breach to 
the data subject); 
(d) Chapter 5 of this Part (transfers of personal data to third 
countries etc), except for the provisions listed in subsection (4); 
(e) in Part 5— 
(i) section 119 (inspection in accordance with international 
obligations); 
(ii) in Schedule 13 (other general functions of the 
Commissioner), paragraphs 1(1)(a) and (g) and 2; 
(f) in Part 6— 
(i) sections 142 to 154 and Schedule 15 (Commissioner’s 
notices and powers of entry and inspection); 
(ii) sections 170 to 173 (offences relating to personal data); 
(g) in Part 7, section 187 (representation of data subjects). 


(3) The provisions of Chapter 2 of this Part (principles) which are excepted 
from the list in subsection (2) are— 

(a) section 35(1) (the first data protection principle) so far as it 
requires processing of personal data to be lawful; 

(b) section 35(2) to (5) (lawfulness of processing and restrictions on 
sensitive processing); 

(c) section 42 (safeguards: sensitive processing); 

(d) Schedule 8 (conditions for sensitive processing). 


(4) The provisions of Chapter 5 of this Part (transfers of personal data to 
third countries etc) which are excepted from the list in subsection (2) 
are— 

(a) the following provisions of section 73 — 
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(b) 


(i) subsection (1)(a) (conditions for transfer), so far as it 
relates to the condition in subsection (2) of that section, 
and subsection (2) (transfer must be necessary for a law 
enforcement purpose); 

(ii) subsections (1)(d), (5) and (6) (conditions for transfer of 
personal data originally made available by a member 
State); 
section 78 (subsequent transfers).” 


(8) Insection 79 (national security: certificate) — 
omit subsections (1) to (3), 
after subsection (3) insert — 


(a) 
(b) 


(g) 
(h) 
(i) 
() 


“(3A) 


Subject to subsection (5), a certificate signed by a Minister of the 
Crown certifying that exemption from all or any of the 
provisions listed in section 78A(2) is, or at any time was, 
required in relation to any personal data for the purposes of 
safeguarding national security is conclusive evidence of that 
fact.”, 


in subsection (4), for “subsection (1)” substitute “subsection (3A) — 


(a) may identify the personal data to which it applies by 
means of a general description, and 


(b) ”, 


in subsection (5), for “subsection (1)” substitute “subsection (3A)”, 
in subsection (7) — 


(i) 


(ii) 


for “a restriction falls within a general description in a certificate 
issued under subsection (1)” substitute “a certificate under 
subsection (3A) which identifies the personal data to which it 
applies by means of a general description applies to any 
personal data”, and 

for “the restriction does not fall within that description” 
substitute “the certificate does not apply to the personal data in 
question”, 


in subsection (8) — 


(i) 
(ii) 


in subsection (10), for “subsection 
in subsection (11), for “subsection 
in subsection (12) 


for “the restriction” substitute “the certificate”, and 

for “to fall within the general description” substitute “so to 
apply”, 

1)” substitute “subsection (3A)”, 

1)” substitute “subsection (3A)”, 
for “subsection (1)” substitute “subsection (3A)”, and 


— —™ 


y 
y 


omit subsection (13). 


(9) Insection 110(2) (intelligence services processing: national security) — 
in paragraph (a), after “Chapter 2” insert “of this Part”, 

in paragraph (b), after “Chapter 3” insert “of this Part”, and 

in paragraph (c), after “Chapter 4” insert “of this Part. 


(a) 
(b) 
(c) 
(10) 


In section 186(3)(c) (data subject’s rights etc: exceptions), for “and 48(3)” 


substitute “, 48(3) and 78A”. 
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Intelligence services 


25 Joint processing by intelligence services and competent authorities 
(1) Part 4 of the 2018 Act (intelligence services processing) is amended as follows. 


(2) Insection 82 (processing to which Part 4 applies) — 
(a) before subsection (1) insert — 


“(A1) This Part— 
(a) applies to processing of personal data by an intelligence 
service, and 
(b) applies to processing of personal data by a qualifying 
competent authority where the processing is the subject 
of a designation notice that is for the time being in force 
(see sections 82A to 82E).”, 
(b) insubsection (1)— 
(i) after “applies” insert “only”, 
(ii) in paragraph (a), for “the processing by an intelligence service” 
substitute “processing”, and 
(iii) in paragraph (b), for “the processing by an intelligence service” 
substitute “processing”, 
(c) after subsection (2) insert — 


“(2A) In this Part— 
“competent authority” has the same meaning as in Part 3; 
“qualifying competent authority” means a competent 
authority specified or described in regulations made by 
the Secretary of State.”, and 
(d) after subsection (3) insert — 


“(4) Regulations under this section are subject to the affirmative 
resolution procedure.” 


(3) After section 82 insert — 
“82A Designation of processing by a qualifying competent authority 


(1) For the purposes of this Part, the Secretary of State may give a notice 
designating processing of personal data by a qualifying competent 
authority (a “designation notice”) where — 

(a) an application for designation of the processing is made in 
accordance with this section, and 

(b) the Secretary of State considers that designation of the 
processing is required for the purposes of safeguarding national 
security. 


(2) The Secretary of State may only designate processing by a qualifying 
competent authority that is carried out by the authority as a joint 
controller with at least one intelligence service. 


(3) The Secretary of State may not designate processing by a qualifying 
competent authority that consists of the transfer of personal data to— 


(a) acountry or territory outside the United Kingdom, or 
(b) aninternational organisation. 


10 


15 


20 


20 


30 


35 


40 


40 


Data Protection and Digital Information Bill 
Part 1 — Data Protection 


A designation notice must — 
(a) specify or describe the processing and qualifying competent 
authority that are designated, and 


(b) be given to the applicants for the designation (and see also 
section 82D). 


An application for designation of processing of personal data by a 
qualifying competent authority must be made jointly by — 
(a) the qualifying competent authority, and 
(b) the intelligence service with which the processing is to be 
carried out. 


An application may be made in respect of more than one qualifying 
competent authority and in respect of processing with more than one 
intelligence service. 


The application must — 
(a) describe the processing, including the intended purposes and 
means of processing, and 
(b) explain why the applicants consider that designation is 
required for the purposes of safeguarding national security. 


Before giving a designation notice, the Secretary of State must consult 
the Commissioner. 


In this section, “joint controller”, in relation to processing of personal 
data, means a controller whose responsibilities for compliance with this 
Part in relation to the processing are determined in an arrangement 
under section 104. 


82B Duration of designation notice 


(1) 
(2) 


(3) 


A designation notice must state when it comes into force. 


A designation notice ceases to be in force at the earliest of the following 
times — 
(a) at the end of the period of 5 years beginning with the day on 
which it comes into force; 
(b) (if relevant) at the end of a shorter period specified in the notice; 
(c) when the notice is withdrawn under section 82C. 


The Secretary of State may give a further designation notice in respect 
of processing that is, or has been, the subject of a previous designation 
notice. 


82C Review and withdrawal of designation notice 


(1) 
(2) 


Subsections (2) to (4) apply where processing is the subject of a 
designation notice for the time being in force. 


A person who applied for the designation of the processing must notify 
the Secretary of State without undue delay if the person considers that 
the designation is no longer required for the purposes of safeguarding 
national security. 


A person who applied for the designation of the processing must, on a 
request from the Secretary of State, provide — 
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(a) adescription of the processing that is being, or is intended to be, 
carried out in reliance on the notice, and 


(b) an explanation of why the person considers that designation of 
the processing continues to be required for the purposes of 
safeguarding national security. 


4) The Secretary of State must at least annually — 
y y 
(a) review each designation notice that is for the time being in force, 
and 


(b) consider whether designation of the processing which is the 
subject of the notice continues to be required for the purposes of 
safeguarding national security. 


(5) The Secretary of State — 


(a) may withdraw a designation notice by giving a further notice (a 
“withdrawal notice”) to the persons who applied for the 
designation, and 


(b) must give a withdrawal notice if the Secretary of State considers 
that designation of some or all of the processing to which the 
notice applies is no longer required for the purposes of 
safeguarding national security (whether as a result of a review 
required under subsection (4) or otherwise). 


(6) A withdrawal notice must — 
(a) withdraw the designation notice completely, and 
(b) state when it comes into force. 


(7) In determining when a withdrawal notice required under subsection 
(5)(b) comes into force, the Secretary of State must consider — 


(a) the desirability of the processing ceasing to be designated as 
soon as possible, and 


(b) where relevant, the time needed to effect an orderly transition 
to new arrangements for the processing of personal data. 


82D Records of designation notices 


(1) Where the Secretary of State gives a designation notice — 


(a) the Secretary of State must send a copy of the notice to the 
Commissioner, and 


(b) the Commissioner must publish a record of the notice. 


(2) The record must contain — 
(a) the Secretary of State’s name, 
(b) the date on which the notice was given, 


(c) the date on which the notice ceases to have effect (if not 
previously withdrawn), and 


(d) subject to subsection (3), the rest of the text of the notice. 


(3) The Commissioner must not publish the text, or a part of the text, of the 


notice if — 
(a) the Secretary of State determines that publishing the text or that 
part of the text — 


(i) would be against the interests of national security, 
(ii) would be contrary to the public interest, or 
(iii) might jeopardise the safety of any person, and 
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(b) the Secretary of State has notified the Commissioner of that 
determination. 


(4) The Commissioner must keep the record of the notice available to the 
public while the notice is in force. 


(5) Where the Secretary of State gives a withdrawal notice, the Secretary of 
State must send a copy of the notice to the Commissioner. 


82E Appeal against designation notice 


(1) A person directly affected by a designation notice may appeal to the 
Tribunal against the notice. 


(2) If, onan appeal under this section, the Tribunal finds that, applying the 
principles applied by a court on an application for judicial review, the 
Secretary of State did not have reasonable grounds for giving the 
notice, the Tribunal may — 

(a) allow the appeal, and 
(b) quash the notice.” 


26 Joint processing: consequential amendments 
(1) The 2018 Act is amended as follows. 


(2) In section 1(5) (overview: Part 4), at the end insert “(and certain processing 
carried out by competent authorities jointly with the intelligence services)”. 


(3) In section 29 (processing to which Part 3 applies), after subsection (1) insert — 


‘“(1A) This Part does not apply to processing to which Part 4 applies by virtue 
of a designation notice (see section 82A).” 


(4) Insection 83 (meaning of “controller” and “processor” in Part 4) — 
(a) before subsection (1) insert — 


‘“(A1) For the purposes of this Part — 
(a) an intelligence service is the “controller” in relation to 
the processing of personal data if it satisfies subsection 
(1) alone or jointly with others, and 
(b) a qualifying competent authority is the “controller” in 
relation to the processing of personal data that is the 
subject of a designation notice that is for the time being 
in force if the authority satisfies subsection (1) jointly 
with others.”, 
(b) in subsection (1), for the words before paragraph (a) substitute “This 
subsection is satisfied by a person who—”, and 
(c) insubsection (2), for “intelligence service” substitute “person”. 


(5) Insection 84 (other definitions) — 
(a) after subsection (2) insert — 


“(2A) “Designation notice” has the meaning given in section 82A.”, 
and 
(b) after subsection (6) insert — 


“(6A) “Withdrawal notice” has the meaning given in section 82C.” 
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(6) In section 104(1) (joint controllers), for “intelligence services” substitute 
“controllers”. 


(7) In section 202(1)(a)(i) (proceedings in the First-tier Tribunal: contempt) after 
“79,” insert “82E,”. 


(8) Insection 203(1) (Tribunal Procedure Rules), after “79,” insert “82E,”. 


(9) Insection 206 (index of defined expressions), in the Table — 
(a) in the entry for “competent authority” — 
(i) for “Part 3” substitute “Parts 3 and 4”, and 
(ii) for “section 30” substitute “sections 30 and 82”, and 
(b) atthe appropriate places insert— 


“designation notice (in Part 4) section 84”; 
“qualifying competent authority (in | section 82”; 
Part 4) 

“withdrawal notice (in Part 4) section 84”. 


Information Commissioner's role 


27 ‘Duties of the Commissioner in carrying out functions 
(1) The 2018 Act is amended as follows. 
(2) Omit section 2(2) (duty of Commissioner when carrying out functions). 


(3) After section 120 insert — 


“Duties in carrying out functions 
120A Principal objective 


It is the principal objective of the Commissioner, in carrying out 
functions under the data protection legislation — 


(a) to secure an appropriate level of protection for personal data, 
having regard to the interests of data subjects, controllers and 
others and matters of general public interest, and 


to promote public trust and confidence in the processing o 
b Pp publi d confid in the p ing of 
personal data. 


120B Duties in relation to functions under the data protection legislation 


In carrying out functions under the data protection legislation, the 
Commissioner must have regard to such of the following as appear to 
the Commissioner to be relevant in the circumstances — 

(a) the desirability of promoting innovation; 

(b) the desirability of promoting competition; 

(c) the importance of the prevention, investigation, detection and 

prosecution of criminal offences; 
(d) the need to safeguard public security and national security. 
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120C Strategy 


(1) The Commissioner must prepare a strategy for carrying out the 
Commissioner’s functions under the data protection legislation in 
accordance with the Commissioner’s duties under — 

(a) sections 120A and 120B, 

(b) section 108 of the Deregulation Act 2015 (exercise of regulatory 
functions: economic growth), and 

(c) section 21 of the Legislative and Regulatory Reform Act 2006 
(exercise of regulatory functions: principles). 


(2) The Commissioner must — 
(a) review the strategy from time to time, and 
(b) revise the strategy as appropriate. 


(3) The Commissioner must publish the strategy and any revised strategy. 
120D Duty to consult other regulators 


(1) The Commissioner must, at such times as the Commissioner considers 
appropriate, consult the persons mentioned in subsection (2) about 
how the manner in which the Commissioner exercises functions under 
the data protection legislation may affect economic growth, innovation 
and competition. 


(2) The persons are— 


(a) such persons exercising regulatory functions as_ the 
Commissioner considers appropriate; 
(b) such other persons as the Commissioner considers appropriate. 


(3) In this section “regulatory function” has the meaning given by section 
111 of the Deregulation Act 2015.” 


(4) Insection 139 (reporting to Parliament), after subsection (1) insert — 


‘“(1A) In connection with the Commissioner’s functions under the data 
protection legislation, the report must contain (among other things) — 
(a) a review of what the Commissioner has done during the 
reporting period to comply with the duties under — 
(i) sections 120A and 120B, 
(ii) section 108 of the Deregulation Act 2015, and 
(iii) section 21 of the Legislative and Regulatory Reform Act 
2006, 
including a review of the operation of the strategy prepared and 
published under section 120C; 


(b) a review of what the Commissioner has done during the 
reporting period to comply with the duty under section 120D. 


(1B) In subsection (1A), “the reporting period” means the period to which 
the report relates.” 


(5) The Commissioner must prepare and publish a strategy in accordance with 
section 120C of the 2018 Act before the end of the period of 18 months 
beginning with the day on which this section comes into force. 
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28 


(1) 
(2) 


Strategic priorities 
The 2018 Act is amended as follows. 
After section 120D (inserted by section 27 of this Act) insert — 


120F 


“Strategic priorities 
Designation of statement of strategic priorities 


The Secretary of State may designate a statement as the statement of 
strategic priorities for the purposes of this Part if the requirements set 
out in section 120H are satisfied. 


The statement of strategic priorities is a statement prepared by the 
Secretary of State that sets out the strategic priorities of Her Majesty’s 
government relating to data protection. 


The Secretary of State must publish the statement of strategic priorities 
(including any amended statement following a review under section 
120G) in whatever manner the Secretary of State considers appropriate. 


In this Part, “the statement of strategic priorities” means the statement 
for the time being designated under subsection (1). 


Duties of the Commissioner in relation to strategic priorities 


The Commissioner must have regard to the statement of strategic 
priorities when carrying out functions under the data protection 
legislation. 


But the duty in subsection (1) does not apply when the Commissioner 
is carrying out functions in relation to a particular person, case or 
investigation. 


Where the Secretary of State designates a statement as the statement of 
strategic priorities (including any amended statement following a 
review under section 120G), the Commissioner must — 

(a) explain in writing how the Commissioner will have regard to 
the statement when carrying out functions under the data 
protection legislation, and 

(b) publish a copy of that explanation. 


The duty in subsection (3) must be complied with— 


(a) within the period of 40 days beginning with the day of the 
designation, or 
(b) within whatever longer period the Secretary of State may allow. 


In calculating the period of 40 days mentioned in subsection (4)(a), no 
account is to be taken of — 
(a) Saturdays or Sundays, 
(b) Christmas Day or Good Friday, or 
(c) aday which is a bank holiday under the Banking and Financial 
Dealings Act 1971 in any part of the United Kingdom. 


For a further duty of the Commissioner in relation to the statement of 
strategic priorities, see section 139(1A)(c). 
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120G Review of designated statement 


(1) 
(2) 


(10) 


The Secretary of State must review the statement of strategic priorities 
if a period of 3 years has elapsed since the relevant time. 


The “relevant time”, in relation to the statement of strategic priorities, 
means — 
(a) the time when the statement was first designated under section 
120E, or 
(b) if later, the time when a review of the statement under this 
section last took place. 


A review under subsection (1) must take place as soon as reasonably 
practicable after the end of the 3 year period. 


The Secretary of State may review the statement of strategic priorities 
at any other time if — 

(a) a Parliamentary general election has taken place since the 
relevant time, 

(b) asignificant change in the policy of Her Majesty’s government 
relating to data protection has occurred since the relevant time, 
or 

(c) the Parliamentary requirement in relation to an amended 
statement was not met on the last review (see subsection (12)). 


For the purposes of subsection (4)(b), a significant change in the policy 
of the government relating to data protection has occurred only if — 
(a) the change was not anticipated by the Secretary of State at the 
relevant time, and 
(b) if the change had been so anticipated, it appears to the Secretary 
of State likely that the statement would have been different in a 
material way. 


On a review under this section, the Secretary of State may — 
(a) amend the statement (including by replacing the whole or part 
of the statement with new content), 
(b) leave the statement as it is, or 


(c) withdraw the statement’s designation as the statement of 
strategic priorities. 


A statement amended under subsection (6)(a) has effect only if the 
Secretary of State designates the amended statement as the statement of 
strategic priorities statement under section 120E (and the requirements 
set out in section 120H apply in relation to any such designation). 


Where the designation of a statement is withdrawn under subsection 
(6)(c), the Secretary of State must publish notice of the withdrawal in 
whatever manner the Secretary of State considers appropriate. 


For the purposes of this section, corrections of clerical or typographical 
errors are not to be treated as amendments of the statement. 


The designation of a statement as the statement of strategic priorities 
ceases to have effect upon a subsequent designation of an amended 
statement as the statement of strategic priorities in accordance with 
subsection (7). 
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(11) 


(12) 


120H 


For the purposes of subsection (2)(b), a review of a statement takes 
place — 
(a) inthe case of a decision on the review to amend the statement 
under subsection (6)(a) — 

(i) at the time when the amended statement is designated 
as the statement of strategic priorities under section 
120E, or 

(ii) if the amended statement is not so designated, at the 
time when the amended statement was laid before 
Parliament under section 120H(1); 
(b) inthe case of a decision on the review to leave the statement as 
it is under subsection (6)(b), at the time when that decision is 
taken. 


For the purposes of subsection (4)(c), the Parliamentary requirement in 
relation to an amended statement was not met on the last review if — 
(a) on the last review of the statement of strategic priorities to be 
held under this section, an amended statement was laid before 
Parliament under section 120H(1), but 
(b) the amended statement was not designated because within the 
period mentioned in section 120H(2) either House of Parliament 
resolved not to approve it. 


Parliamentary procedure 


Before the Secretary of State designates a statement as the statement of 
strategic priorities, the Secretary of State must lay the statement before 
Parliament. 


The Secretary of State must then wait until the end of the 40-day period 
and may not designate the statement if, within that period, either 
House of Parliament resolves not to approve it. 


“The 40-day period” means — 
(a) if the statement is laid before both Houses of Parliament on the 
same day, the period of 40 days beginning with that day, or 
(b) if the statement is laid before the Houses of Parliament on 
different days, the period of 40 days beginning with the later of 
those days. 


In calculating the 40-day period, no account is to be taken of any whole 
days that fall within a period during which Parliament is dissolved or 
prorogued or during which both Houses are adjourned for more than 
4 days.” 


In section 139 (reporting to Parliament), in subsection (1A) (inserted by section 
27 of this Act), at the end insert— 


“(c) a review of how the Commissioner has had regard to the 
statement of strategic priorities during the reporting period.” 


In the Table in section 206 (index of defined expressions), at the appropriate 
place insert — 


“statement of strategic | section 120E” 
priorities (in Part 5) 
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29 Codes of practice as to the processing of personal data 
(1) The 2018 Act is amended in accordance with subsections (2) to (6). 
(2) After section 124 insert — 
“124A Other codes of practice 


(1) The Commissioner must prepare appropriate codes of practice giving 
guidance as to good practice in the processing of personal data if 
required to do so by regulations made by the Secretary of State. 


(2) Regulations under this section — 
(a) must describe the personal data or processing to which the code 
of practice is to relate, and 


(b) may describe the persons or classes of persons to whom it is to 
relate. 


3) Where a code under this section is in force, the Commissioner ma 
y 
prepare amendments of the code or a replacement code. 


(4) Before preparing a code or amendments under this section, the 
Commissioner must consult the Secretary of State and such of the 
following as the Commissioner considers appropriate — 

(a) trade associations; 

(b) data subjects; 

(c) persons who appear to the Commissioner to represent the 
interests of data subjects. 


(5) A code under this section may include transitional provision or 
savings. 


(6) Regulations under this section are subject to the negative resolution 
procedure. 


(7) In this section— 

“good practice in the processing of personal data” means such 
practice in the processing of personal data as appears to the 
Commissioner to be desirable having regard to the interests of 
data subjects and others, including compliance with the 
requirements of the data protection legislation; 

“trade association” includes a body representing controllers or 
processors.” 


(3) Insection 125 (approval of codes prepared under sections 121 to 124) — 
(a) in the heading, for “124” substitute “124A”, 
(b) for subsection (5) substitute — 


“(5) If the Commissioner is prevented by subsection (3) from issuing 
a code that is not a replacement code, the Commissioner must 
prepare another version of the code.”, and 


(c) insubsection (9), for “or 124” substitute “, 124 or 124A”. 


(4) Insection 126 (publication and review of codes issued under section 125(4)) in 
subsection (4), for “or 124(2)” substitute “, 124(2) or 124A(3)”. 


(5) Omit section 128 (other codes of practice). 
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(6) Insection 129 (consensual audits) in subsection (3), for “128” substitute “124A”. 


(7) In section 19AC of the Registration Service Act 1953 (code of practice) in 
subsection (11), for “128” substitute “124A”. 


(8) In the Statistics and Registration Service Act 2007— 


(a) in section 45 (information held by HMRC) in subsection (4A), for “128” 
substitute “124A”, 


(b) in section 45A (information held by other public authorities) in 
subsection (8), for “128” substitute “124A”, 

(c) in section 45E (further provisions about powers in sections 45B, 45C 
and 45D) in subsection (16), for “128” substitute “124A”, and 


(d) insection 53A (disclosure by the Board to devolved administrations) in 
subsection (9), for “128” substitute “124A”. 


(9) Inthe Digital Economy Act 2017— 


(a) in section 43 (code of practice) in subsection (13), for “128” substitute 
TOA A 


(b) in section 52 (code of practice) in subsection (13), for “128” substitute 
at WLW Nae 


(c) in section 60 (code of practice) in subsection (13), for “128” substitute 
“124A”, and 


(d) in section 70 (code of practice) in subsection (15), for “128” substitute 
“124A”. 


30 Codes of practice: panels and impact assessments 
(1) The 2018 Act is amended as follows. 
(2) After section 124A (inserted by section 29 of this Act) insert — 
“124B Panels to consider codes of practice 


(1) This section applies where a code is prepared under section 121, 122, 
123, 124 or 124A, subject to subsection (11). 


(2) The Commissioner must establish a panel of individuals to consider the 
code. 


(3) The panel must consist of — 
(a) individuals the Commissioner considers have expertise in the 
subject matter of the code, and 
(b) individuals the Commissioner considers — 
(i) are likely to be affected by the code, or 
(ii) represent persons likely to be affected by the code. 


(4) Before the panel begins to consider the code, the Commissioner must — 
(a) publish the code in draft, and 
(b) publish a statement that— 
(i) states a panel has been establish to consider the code, 
(ii) identifies the members of the panel, 
(iii) explains the process by which they were selected, and 
(iv) explains the reasons for their selection. 
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124C 
(1) 


Where at any time it appears to the Commissioner that a member of the 
panel is not willing or able to serve as a member of the panel, the 
Commissioner may select another individual to be a member of the 
panel. 


Where the Commissioner selects an individual to be a member of the 
panel under subsection (5), the Commissioner must publish a 
statement that — 


(a) identifies the member of the panel, 
(b) explains the process by which the member was selected, and 
(c) explains the reasons for the member’s selection. 


The Commissioner must make arrangements — 
(a) for the members of the panel to consider the code with one 
another (whether in person or otherwise), and 
(b) for the panel to prepare and submit to the Commissioner a 
report on the code within such reasonable period as is 
determined by the Commissioner. 


If the panel submits to the Commissioner a report on the code within 
the period determined by the Commissioner, the Commissioner must 
as soon as reasonably practicable — 


(a) make any alterations to the code that the Commissioner 
considers appropriate in the light of the report, and 
(b) publish— 
(i) the code in draft, 
(ii) the report or a summary of it, and 
(iii) in a case where a recommendation in the report to alter 
the code has not been accepted by the Commissioner, an 
explanation of why it has not been accepted. 


The Commissioner may pay remuneration and expenses to the 
members of the panel. 


This section applies in relation to amendments prepared under section 
121, 122, 123, 124 or 124A as it applies in relation to codes prepared 
under those sections, subject to subsection (11). 


The Secretary of State may by regulations provide that this section does 
not apply, or applies with modifications, in the case of a code or 
amendments of a code that — 

(a) is prepared under section 124A, and 

(b) is specified in the regulations. 


Regulations under this section are subject to the negative resolution 
procedure. 


Impact assessments of codes of practice 


Where a code is prepared under section 121, 122, 123, 124 or 124A, the 
Commissioner must carry out and publish an assessment of — 


(a) who would be likely to be affected by the code, and 
(b) the effect the code would be likely to have on them. 
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(2) This section applies in relation to amendments prepared under section 
121, 122, 123, 124 or 124A as it applies in relation to codes prepared 
under those sections.” 


31 Codes of practice: approval by the Secretary of State 
(1) The 2018 Act is amended as follows. 
(2) After section 124C (inserted by section 30 of this Act) insert — 
“124D Approval by Secretary of State of codes of practice 


(1) Where a code is prepared under section 121, 122, 123, 124 or 124A, the 
Commissioner must submit the final version to the Secretary of State. 


(2) Within the period of 40 days beginning with the day on which the code 
is submitted to the Secretary of State, the Secretary of State must decide 
whether to approve the code. 


(3) If the Secretary of State approves the code, the Secretary of State must 
lay the code before Parliament. 


(4) Ifthe Secretary of State does not approve the code, the Secretary of State 
must — 
(a) give a statement to the Commissioner that — 
(i) states that the Secretary of State does not approve the 
code, and 


(ii) explains the reasons why the Secretary of State does not 
approve the code, and 


(b) publish the statement. 


(5) If the Secretary of State does not approve the code, the Commissioner 
must — 
(a) revise the code in the light of the statement given by the 
Secretary of State, and 
(b) submit the revised code to the Secretary of State. 


(6) If the Commissioner submits a revised code to the Secretary of State, 
subsections (2) to (5) and this subsection apply again. 


(7) This section applies in relation to amendments prepared under section 
121, 122, 123, 124 or 124A as it applies in relation to codes prepared 
under those sections. 


(8) In calculating the period of 40 days mentioned in subsection (2), no 
account is to be taken of — 
(a) Saturdays or Sundays, 
(b) Christmas Day or Good Friday, or 
(c) aday which is a bank holiday under the Banking and Financial 
Dealings Act 1971 in any part of the United Kingdom.” 


(3) Insection 125 (approval of codes prepared under sections 121 to 124) — 
(a) in the heading, after “Approval” insert “by Parliament”, and 
(b) for subsections (1) and (2) substitute — 


“(1) This section applies where a code is laid before Parliament 
under section 124D.”, and 
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(c) in subsection (3), for “a code prepared under section 121, 122, 123 or 
124” substitute “the code”, and 


(d) in subsection (9), for “subsections (2) and (5)” substitute “subsection 


(5)”. 


32  Vexatious or excessive requests made to the Information Commissioner 
(1) The 2018 Act is amended in accordance with subsections (2) and (3). 


(2) In section 135 (manifestly unfounded or excessive requests made to the 
Commissioner) — 
(a) in the heading, for “Manifestly unfounded” substitute “Vexatious”, 
(b) insubsection (1)— 
(i) for “manifestly unfounded” substitute “vexatious”, and 
(ii) after “excessive” insert “(see section 204A)”, 


(c) omit subsection (2), 

(d) insubsection (3), for “manifestly unfounded” substitute “vexatious”, 
(e) omit subsection (4), and 

(f) after that subsection insert — 


“(5) Article 57(3) of the UK GDPR (performance of Information 
Commissioner’s tasks generally to be free of charge for data 
subject) has effect subject to this section.” 


(3) Insection 136(1) (guidance about fees), omit paragraph (b) (and the “or” before 
it). 


(4) In Article 57 of the UK GDPR (Information Commissioner’s tasks), omit 
paragraph 4. 
33 ~—Analysis of performance 
In the 2018 Act, after section 139 insert — 
“139A Analysis of performance 


(1) The Commissioner must prepare and publish an analysis of the 
Commissioner’s performance using key performance indicators. 


(2) The analysis must be prepared and published at least annually. 


(3) In this section, “key performance indicators” means factors by reference 
to which the Commissioner’s performance can be measured most 
effectively. 


Documents and notices”. 
Enforcement 


34 Power of the Commissioner to require documents 
(1) The 2018 Act is amended as follows. 


(2) Insection 142 (information notices) — 
(a) in subsection (1) — 
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(i) in paragraph (a), after “information” insert “or documents”, and 

(ii) in paragraph (b), after “information” insert “or documents”, 

in subsection (2)(b), after “information” insert “or documents”, 
in subsection (3) — 
(i) in paragraph (a), after “information”, in both places it occurs, 
insert “or documents”, 

(ii) in paragraph (b), after “information” insert “or documents”, 
(iii) in paragraph (c), after “information” insert “or documents”, and 
(iv) in paragraph (d), after “information” insert “or documents”, 

(d) in subsection (5), after “information”, in the second place it occurs, 
insert “or documents”, 
(e) in subsection (6), after “information”, in the second place it occurs, 
insert “or documents”, and 
(f) in subsection (7) — 
(i) in paragraph (a) for “is” substitute “or documents are”, and 


(ii) in the words after paragraph (b), after “information” insert “or 
documents”. 


a= 
Ao 
—~— 


(3) Insection 143 (information notices: restrictions) — 
(a) in subsection (1)(b)(ii), for “is” substitute “or documents are”, 
(b) in subsection (2), after “information”, in the second place it occurs, 
insert “or documents”, 


(c) insubsection (3), for “in respect” substitute “or documents to the extent 
that requiring the person to do so would result in the disclosure”, 


(d) insubsection (4), for “in respect” substitute “or documents to the extent 
that requiring the person to do so would result in the disclosure”, and 


(e) in subsection (6), after “information”, in the second place it occurs, 
insert “or documents”. 


(4) Insection 145 (information orders) — 
(a) in subsection (2) — 
(i) in paragraph (a), after “information”, in the first place it occurs, 
insert “or documents”, and 
(ii) in paragraph (b), after “information” insert “or documents”, and 
(b) insubsection (3) — 
(i) in paragraph (a), after “information” insert “or documents”, 
(ii) in paragraph (b), after “information” insert “or documents”, and 
(iii) in paragraph (c), after “information” insert “or documents”. 


(5) In section 148(1) (destroying or falsifying information and documents etc), in 
paragraph (a), after “information”, in the second place it occurs, insert “or a 
document”. 


(6) Insection 160 (guidance about regulatory action), in subsection (3)(a), for “is” 
substitute “or documents are”. 


(7) In Schedule 17 (review of processing of personal data for the purposes of 
journalism) in paragraph 2(2) (information notices) — 
(a) in paragraph (a), for “is” substitute “or documents are”, and 


(b) in the words after paragraph (b), after “information” insert “or 
documents”. 
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35 ‘Power of the Commissioner to require a report 
(1) The 2018 Act is amended as follows. 


(2) In section 146 (assessment notices) — 
(a) in subsection (2), after paragraph (i), insert — 
“(G) make arrangements for an approved person to prepare 
a report on a specified matter; 
(k) provide to the Commissioner a report prepared in 
pursuance of such arrangements.” 
(b) after subsection (3) insert — 


“(3A) An assessment notice that requires a controller or processor to 
make arrangements for an approved person to prepare a report 
may require the arrangements to include specified terms as to — 

(a) the preparation of the report; 

(b) the contents of the report; 

(c) the form in which the report is to be provided; 

(d) the date by which the report is to be completed.” 
(c) after subsection (11) insert — 


‘“(11A) Where the Commissioner gives an assessment notice that 
requires the controller or processor to make arrangements for 
an approved person to prepare a report, the controller or 
processor is liable for the payment of the approved person’s 
remuneration and expenses under the arrangements.” 

(d) in subsection (12), before the definition of “domestic premises”, 
insert — 


6666 


approved person”, in relation to a report, means a person 
approved to prepare the report in accordance with 
section 146A;”. 


(3) After section 146 insert — 
“146A Assessment notices: approval of person to prepare report etc 


(1) This section applies where an assessment notice requires a controller or 
processor to make arrangements for an approved person to prepare a 
report. 


(2) The controller or processor must, within such period as is specified in 
the assessment notice, nominate to the Commissioner a person to 
prepare the report. 


(3) If the Commissioner is satisfied that the nominated person is a suitable 
person to prepare the report, the Commissioner must by written notice 
to the controller or processor approve the nominated person to prepare 
the report. 


(4) If the Commissioner is not satisfied that the nominated person is a 
suitable person to prepare the report, the Commissioner must by 
written notice to the controller or processor — 

(a) inform the controller or processor that the Commissioner has 
decided not to approve the nominated person to prepare the 
report, 
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(b) inform the controller or processor of the reasons for that 
decision, and 


(c) approve a person who the Commissioner is satisfied is a 
suitable person to prepare the report to do so. 


(5) If the controller or processor does not nominate a person within the 
period specified in the assessment notice, the Commissioner must by 
written notice to the controller or processor approve a person who the 
Commissioner is satisfied is a suitable person to prepare the report to 
do so. 


(6) Itis the duty of the controller or processor to give the person approved 
to prepare the report all such assistance as the person may reasonably 
require to prepare the report.” 


4) Insection 155 (penalty notices), in subsection (1) — 
p y 
(a) omit “or” at the end of paragraph (a), and 
(b) at the end of paragraph (b) insert “, or 


(c) has failed to comply with a duty imposed on the person 
by section 146A (6).” 


(5) Insection 160 (guidance about regulatory action), in subsection (4) — 
(a) after paragraph (a) insert — 
“(aa) provision specifying factors to be considered in 
determining whether to give an assessment notice to a 
person that imposes a requirement of a sort mentioned 
in section 146(2)(j); 
(ab) provision about the factors the Commissioner may take 
into account when determining the suitability of a 


person to prepare a report of a sort mentioned in section 
146(2)(j) or (k);”. 


36 Interview notices 


(1) The 2018 Act is amended as follows. 
(2) After section 148 insert — 


“Interview notices 
148A Interview notices 


(1) This section applies where the Commissioner suspects that a controller 
or processor — 


(a) has failed or is failing as described in section 149(2), or 
(b) has committed or is committing an offence under this Act. 


(2) For the purpose of investigating the suspected failure or offence, the 
Commissioner may, by written notice (an “interview notice”), require 
an individual within subsection (3) to— 


(a) attend ata place specified in the notice, and 


(b) answer questions with respect to any matter relevant to the 
investigation. 


(3) An individual is within this subsection if the individual — 
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148B 


(a) is the controller or processor, 

(b) is or was at any time employed by, or otherwise working for, 
the controller or processor, or 

(c) isor was at any time concerned in the management or control of 
the controller or processor. 


An interview notice must specify the time at which the individual must 
attend at the specified place and answer questions (but see the 
restrictions in subsections (6) and (7)). 


An interview notice must — 
(a) indicate the nature of the suspected failure or offence that is the 
subject of the investigation, 
(b) provide information about the consequences of failure to 
comply with the notice, and 
(c) provide information about the rights under sections 162 and 164 
(appeals etc). 


An interview notice may not require an individual to attend at the 
specified place and answer questions before the end of the period 
within which an appeal can be brought against the notice. 


If an appeal is brought against an interview notice, the individual to 
whom the notice is given need not attend at the specified place and 
answer questions pending the determination or withdrawal of the 
appeal. 


If an interview notice — 

(a) states that, in the Commissioner’s opinion, it is necessary for the 
individual to attend at the specified place and answer questions 
urgently, and 

(b) gives the Commissioner’s reasons for reaching that opinion, 

subsections (6) and (7) do not apply but the notice must not require the 
individual to attend at the specified place and answer questions before 
the end of the period of 24 hours beginning when the notice is given. 


The Commissioner may cancel or vary an interview notice by written 
notice to the individual to whom it was given. 


Interview notices: restrictions 


An interview notice does not require an individual to answer questions 
to the extent that requiring the person to do so would involve an 
infringement of the privileges of either House of Parliament. 


An interview notice does not require an individual to answer questions 
in respect of a communication which is made — 
(a) between a professional legal adviser and the adviser’s client, 
and 
(b) in connection with the giving of legal advice to the client with 
respect of obligations, liabilities or rights under the data 
protection legislation. 


An interview notice does not require an individual to answer questions 
in respect of a communication which is made — 
(a) between a professional legal adviser and the adviser’s client or 
between such an adviser or client and another person, 
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(b) in connection with or in contemplation of proceedings under or 
arising out of the data protection legislation, and 


(c) for the purposes of such proceedings. 


(4) Insubsections (2) and (3), references to the client of a professional legal 
adviser include references to a person acting on behalf of the client. 


(5) Aninterview notice does not require an individual to answer questions 
if doing so would, by revealing evidence of the commission of an 
offence, expose the individual to proceedings for that offence. 


(6) The reference to an offence in subsection (5) does not include an offence 
under — 

(a) this Act; 

(b) section 5 of the Perjury Act 1911 (false statements made 
otherwise than on oath); 

(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) 
Act 1995 (false statutory declarations and other false unsworn 
statements); 

(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 
1979/1714 (N.I. 19)) (false statutory declarations and other false 
unsworn statements). 


(7) A statement made by an individual in response to an interview notice 
may not be used in evidence against that individual on a prosecution 
for an offence under this Act (other than an offence under section 148C) 
unless in the proceedings — 

(a) in giving evidence the individual provides information 
inconsistent with the statement, and 

(b) evidence relating to the statement is adduced, or a question 
relating to it is asked, by that individual or on that individual’s 
behalf. 


8) The Commissioner may not give an interview notice with respect to the 
: y NOUS : p 
processing of personal data for the special purposes. 


(9) The Commissioner may not give an interview notice to an individual 
for the purpose of investigating a suspected failure or offence if the 
controller or processor suspected of the failure or offence is — 

(a) a body specified in section 23(3) of the Freedom of Information 
Act 2000 (bodies dealing with security matters), or 

(b) the Office for Standards in Education, Children’s Services and 
Skills in so far as it is a controller or processor in respect of 
information processed for the purposes of functions exercisable 
by Her Majesty’s Chief Inspector of Education, Children’s 
Services and Skills by virtue of section 5(1)(a) of the Care 
Standards Act 2000. 


148C False statements made in response to interview notices 


It is an offence for an individual, in response to an interview notice — 
(a) to make a statement which the individual knows to be false ina 
material respect, or 
(b) recklessly to make a statement which is false in a material 
respect.” 
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(3) Insection 149 (enforcement notices), in subsection (9)(b) — 
(a) after “an assessment notice” insert “, an interview notice”, and 
(b) after “147” insert “, 148A, 148B”. 
(4) In section 155 (penalty notices), in subsection (1)(b), after “assessment notice” 
insert “, an interview notice”. 
(5) In section 157 (maximum amount of penalty), in subsection (4), after 
“assessment notice” insert “, an interview notice”. 
(6) Insection 160 (guidance about regulatory action) — 
(a) insubsection (1), after paragraph (b) insert — 
“(ba) interview notices,”, and 
(b) after subsection (5) insert — 
‘“(SA) In relation to interview notices, the guidance must include — 

(a) provision specifying factors to be considered in 
determining whether to give an interview notice to an 
individual; 

(b) provision about the circumstances in which the 
Commissioner would consider it appropriate to give an 
interview notice to an individual in reliance on section 
148A(8) (urgent cases); 

(c) provision about the circumstances in which the 
Commissioner would consider it appropriate to vary the 
place or time specified in an interview notice at the 
request of the individual to whom the notice is given; 

(d) provision about the nature of interviews carried out in 
accordance with an interview notice; 

(e) provision about how the Commissioner will determine 
how to proceed if an individual does not comply with an 
interview notice.” 

(7) Insection 162 (rights of appeal), in subsection (1), after paragraph (b) insert — 
“(ba) aninterview notice;”. 
(8) Insection 164 (applications in respect of urgent notices) — 
(a) in subsection (1), after “assessment notice” insert “, an interview 
notice”, and 
(b) in subsection (5), after paragraph (b) (but before the “and” after it) 
insert — 
“(ba) in relation to an interview notice, a statement under 
section 148A(8)(a),”. 
(9) Insection 181 (interpretation of Part 6), at the appropriate place, insert — 
“interview notice” has the meaning given in section 148A;”. 
(10) In section 196 (penalties for offences), in subsection (2), after “148,” insert 
“148C,”. 
(11) Insection 206 (index of defined expressions), at the appropriate place, insert — 


“interview notice (in Part 6) section 181” 
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(12) In Schedule 17 (review of processing of personal data for the purposes of 
journalism) — 


(a) after paragraph 3 insert — 
“Interview notices 


3A (1) Sub-paragraph (2) applies where the Commissioner gives an 
interview notice to an individual during a relevant period. 


(2) If the interview notice — 

(a) states that, in the Commissioner’s opinion, it is 
necessary for the individual to comply with a 
requirement in the notice for the purposes of the 
relevant review, and 

(b) gives the Commissioner’s reasons for reaching that 
opinion, 

subsections (6) and (7) of section 148A do not apply but the 
notice must not require the individual to comply with the 
requirement before the end of the period of 24 hours 
beginning when the notice is given. 


(3) During a relevant period, section 148B has effect as if for 
subsection (8) there were substituted — 


“(8) The Commissioner may not give an individual an 
interview notice with respect to the processing of 
personal data for the special purposes unless a 
determination under section 174 with respect to the 
data or the processing has taken effect.”, and 
(b) in paragraph 4 (applications in respect of urgent notices) — 
(i) for “or assessment notice” substitute “, assessment notice or 
interview notice”, 
(ii) for “or 3(2)(a)” substitute “, 3(2)(a) or 3A(2)(a)”, and 
(iii) for “or 146(8)(a)” substitute “, 146(8)(a) or 148A(8)(a)”. 


37. __— Penalty notices 
(1) The 2018 Act is amended as follows. 


(2) In paragraph 2 of Schedule 16 (notice of intent to impose penalty), omit sub- 
paragraphs (2) and (3). 
(3) In paragraph 4 of that Schedule (giving a penalty notice) — 
(a) before sub-paragraph (1) insert — 


‘“(A1) This paragraph applies where the Commissioner gives a 
notice of intent to a person. 


(B1) Within the period of 6 months beginning with the day the 
notice is given, or as soon as reasonably practicable 
thereafter, the Commission must give to the person — 

(a) a penalty notice, or 
(b) written notice that the Commissioner has decided not 
to give a penalty notice to the person.”, 
(b) in sub-paragraph (1) — 
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(i) at the beginning, insert “But”, and 
(ii) after “penalty notice” insert “to the person”, and 
(c) insub-paragraph (2), for “a person” substitute “the person”. 
(4) In section 160 (guidance about regulatory action), in subsection (7), after 
paragraph (d) insert — 

“(e) provision about the circumstances in which the Commissioner 
would consider it necessary to comply with the duty in 
paragraph 4(B1) of Schedule 16 after the period of 6 months 
mentioned in that paragraph.” 


38 Annual report on regulatory action 
(1) The 2018 Act is amended as follows. 


(2) Insection 139 (reporting to Parliament), before subsection (3) insert — 


“(2A) The report under this section may include the annual report under 
section 161A.” 


— 
wo 
wm 


In the heading before section 160, at the end insert “and report”. 


After section 161 insert — 


—~ 
a 
— 


“161A Annual report on regulatory action 


1) The Commissioner must produce and publish an annual report on— 
p Pp P 
(a) UK GDPR investigations, and 
(b) the exercise of the Commissioner’s enforcement powers. 


(2) The report must include the following information about UK GDPR 
investigations — 

(a) the number of investigations begun, continued or completed by 
the Commissioner during the reporting period, 

(b) the different types of act and omission that were the subject 
matter of the investigations, 

(c) the enforcement powers exercised by the Commissioner in the 
reporting period in connection with the investigations, 

(d) the duration of investigations that ended in the reporting 
period, and 

(e) the different types of outcome in investigations that ended in 
that period. 


(3) The report must include information about the enforcement powers 
exercised by the Commissioner in the reporting period in connection 
with— 

(a) processing of personal data by a competent authority for any of 
the law enforcement purposes, and 
(b) processing of personal data to which Part 4 applies. 


(4) The report must include information about — 


(a) the number of penalty notices given in the reporting period that 
were given more than 6 months after the notice of intent was 
given under paragraph 2 of Schedule 16, and 

(b) the reasons why that happened. 
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(5) The report must include a review of how the Commissioner had regard 
to the guidance published under section 160 when exercising the 
Commissioner’s enforcement powers during the reporting period. 


(6) In this section— 
“enforcement powers” means the powers under — 
(a) Article 58(1)(c) and (d) and (2)(a) and (b) of the UK 
GDPR, 
(b) sections 142 to 159 of this Act, 
(c) paragraph 2(a), (b) and (c) of Schedule 13 to this Act, 
(d) Schedules 15 and 16 to this Act; 
“the law enforcement purposes” has the meaning given in section 
31 of this Act; 
“the reporting period” means the period to which the report 
relates; 


“UK GDPR investigation” means an investigation required under 
Article 57(1)(h) of the UK GDPR (investigations on the 
application of the UK GDPR).” 


39 Complaints to controllers 
(1) The 2018 Act is amended as follows. 
(2) Before section 165 (but after the cross-heading preceding it) insert — 
“164A Complaints by data subjects to controllers 


(1) A data subject may make a complaint to the controller if the data subject 
considers that, in connection with personal data relating to the data 
subject, there is an infringement of the UK GDPR or Part 3 of this Act. 


(2) Acontroller must facilitate the making of complaints under this section 
by taking steps such as providing a complaint form which can be 
completed electronically and by other means. 


(3) If a controller receives a complaint under this section, the controller 
must acknowledge receipt of the complaint within the period of 30 days 
beginning with the day on which it is received. 


(4) If a controller receives a complaint under this section, the controller 
must without undue delay — 


(a) take appropriate steps to respond to the complaint, and 
(b) inform the complainant of the outcome of the complaint. 


(5) The reference in subsection (4)(a) to taking appropriate steps to 
respond to the complaint includes — 
(a) making enquiries into the subject matter of the complaint, to the 
extent appropriate, and 
(b) informing the complainant about progress on the complaint. 


164B Controllers to notify the Commissioner of the number of complaints 


(1) The Secretary of State may by regulations require a controller to notify 
the Commissioner of the number of complaints made to the controller 
under section 164A in periods specified or described in the regulations. 
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(2) Regulations under this section may provide that a controller is required 
to make a notification to the Commissioner in respect of a period only 
in circumstances specified in the regulations. 


(3) Regulations under this section may include — 
(a) provision about a matter listed in subsection (4), or 


(b) provision conferring power on the Commissioner to determine 
those matters. 


(4) The matters are— 
(a) the form and manner in which a notification must be made, 


(b) the time at which, or period within which, a notification must be 
made, and 


(c) how the number of complaints made to a controller during a 
period is to be calculated. 


5) Regulations under this section are subject to the negative resolution 
8 8 
procedure.” 


40 Power of the Commissioner to refuse to act on certain complaints 
(1) The 2018 Act is amended as follows. 


2) Insection 165 (complaints by data subject to the Commissioner) — 
Pp vy 
(a) omit subsection (1), 
b) insubsection (2), after “infringement of” insert “the UK GDPR or”, and 
8 
(c) after subsection (5) insert — 


“(5A) Subsection (4) does not apply if the Commissioner refuses to act 
on the complaint in reliance on section 165A.” 


(3) After section 165 insert — 
“165A Power of Commissioner to refuse to act on certain complaints 


(1) The Commissioner may refuse to act on a complaint under section 165 
if condition A, B or C is met. 


(2) Condition A is that— 


(a) thecomplaint concerns an infringement of the UK GDPR or Part 
3 of this Act, and 


b) the complaint has not been made to the controller under section 
164A : 


(3) Condition B is that— 
(a) the complaint has been made to the controller under section 
164A, 
(b) the controller has not finished handling the complaint in 
accordance with subsection (4) of that section, and 
(c) the period of 45 days beginning with the day the complaint was 
made to the controller under that section has not expired. 


(4) Condition C is that the complaint is vexatious or excessive (see section 
204A). 


(5) Inany proceedings where there is an issue as to whether a complaint is 
vexatious or excessive, it is for the Commissioner to show that it is. 
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(6) Ifthe Commissioner refuses to act on a complaint under section 165, the 
Commissioner must inform the complainant of — 


(a) the refusal and the reasons for it, and 
(b) the right under section 166A. 


(7) Ifthe Commissioner refuses to act on a complaint under section 165 that 
does not prevent the complainant making the complaint again. 


165B Guidance about responding to complaints and refusing to act 


(1) The Commissioner must produce and publish guidance about — 


(a) how the Commissioner proposes to respond to complaints 
made under section 165, and 


(b) how the Commissioner proposes to exercise the discretion 
conferred by section 165A to refuse to act on a complaint. 


(2) The Commissioner — 
(a) may alter or replace guidance produced under this section, and 
(b) must publish any altered or replacement guidance. 
(3) Before producing guidance under this section (including any altered or 
replacement guidance), the Commissioner must consult — 
(a) the Secretary of State, and 
(b) such other persons as the Commissioner considers appropriate. 
(4) The Commissioner must arrange for any guidance under this section 


(including any altered or replacement guidance) to be laid before 
Parliament.” 


(4) Insection 166 (orders to progress complaints), after subsection (1) insert — 


‘“(1A) But this section does not apply if the Commissioner refuses to act on the 
complaint in reliance on section 165A.” 


(5) After section 166 insert — 
“166A Appeals against refusal of Commissioner to act on complaint 


(1) Where the Commissioner refuses to act on a complaint in reliance on 
section 165A, the person who made the complaint may appeal to the 
Tribunal. 


(2) The Tribunal may review any determination of fact on which the 
refusal to act was based. 
(3) If the Tribunal considers — 
(a) that the refusal to act is not in accordance with the law, or 


(b) that the Commissioner ought not to have exercised the 
discretion to refuse to act, 


the Tribunal must allow the appeal. 


(4) Otherwise, the Tribunal must dismiss the appeal.” 


41 Complaints: minor and consequential amendments 


Schedule 8 contains minor and consequential amendments relating to 
complaints by data subjects. 
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42 Consequential amendments to the EITSET Regulations 


(1) Schedule 2 to the Electronic Identification and Trust Services for Electronic 
Transactions Regulations 2016 (S.I. 2016/696) is amended as follows. 


(2) In paragraph 1 (provisions of the 2018 Act applied for enforcement 
purposes) — 
(a) after paragraph (g) insert — 
“(ga) 146A (assessment notices: approval of person to prepare 
report etc);”, and 
(b) after paragraph (i) insert — 
“(ia) 148A (interview notices); 
(ib) 148B (interview notices: restrictions); 
(ic) 148C (false statements made in response to interview 
notices);”. 


(3) In paragraph 4(2) (modification of section 143 (information notices: 
restrictions)) — 


(a) in paragraph (b), for “or 148” substitute “, 148 or 148C”, and 
(b) in paragraph (c), after “148” insert “or 148C”. 


(4) In paragraph 6 (modification of section 146 (assessment notices)), in sub- 
paragraph (2) — 
(a) for paragraph (b) substitute — 
“(b) subsection (2) has effect as if — 
(i) for “controller or processor” there were 
substituted “trust service provider”, 
(ii) paragraphs (h) and (i) were omitted;”, 
(b) in paragraph (c), for “subsections (7), (8), (9) and (10)” substitute 
“subsections (3A), (7), (8), (9), (10) and (11A)”, and 
(c) in paragraph (d), for “or 148” substitute “, 148 or 148C”. 


(5) After paragraph 6 insert — 


“Modification of section 146A (assessment notices: approval of person to prepare 
report etc) 


6A Section 146A has effect as if for “controller or processor” (in each 


99°99 


place) there were substituted “trust service provider”. 


(6) After paragraph 7 insert — 


“Modification of section 148A (interview notices) 


7A Section 148A has effect as if — 
(a) in subsection (1) — 

(i) for “controller or processor” there were substituted 
“trust service provider”; 

(ii) in paragraph (a), for “as described in section 149(2)” 
there were substituted “to comply with the eIDAS 
requirements”; 

(iii) in paragraph (b), for “this Act” there were substituted 
“section 144, 148, 148C or paragraph 15 of Schedule 
Int; 
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(b) insubsection (3), for “controller or processor” (in each place) 
there were substituted “trust service provider”. 


Modification of section 148B (interview notices: restrictions) 
7B (1) Section 148B has effect as if subsections (8) and (9) were omitted. 


(2) In that section— 

(a) subsections (2)(b) and (3)(b) have effect as if for “the data 
protection legislation” there were substituted “the eIDAS 
Regulation or the EITSET Regulations”; 

(b) subsection (6)(a) has effect as if for “this Act” there were 
substituted “section 144, 148 or 148C or paragraph 15 of 
Schedule 15”; 

(c) subsection (7) has effect as if for “this Act (other than an 
offence under section 148C)” there were substituted “section 
144, 148 or paragraph 15 of Schedule 15”.” 


(7) In paragraph 12 (modification of Schedule 15 (powers of entry and 
inspection)), in sub-paragraph (2), in the substituted paragraph (a), for “or 148” 
substitute “, 148 or 148C”. 


(8) Omit paragraph 21 (modification of section 182 (regulations and consultation)) 
and the heading before it. 


(9) In paragraph 22 (modification of section 196 (penalties for offences)), in sub- 
paragraph (2)(b), for “or 148” substituted “, 148 or 148C”. 


Protection of prohibitions and restrictions 


43 Protection of prohibitions and restrictions on processing personal data 


In the 2018 Act, after section 183 insert — 


“Prohibitions and restrictions on processing personal data 
183A Protection of prohibitions and restrictions on processing personal data 


(1) An enactment imposing a duty, or conferring a power, to process 
personal data (however expressed) does not override a prohibition or 
restriction on processing personal data imposed by the data protection 
legislation. 


(2) Subsection (1) does not apply where express provision to the contrary 
is made referring to this section or to the data protection legislation (or 
a provision of that legislation). 


(3) Subsection (1) does not prevent a duty or power to process personal 
data from being taken into account for the purpose of determining 
whether it is possible to rely on an exception to a prohibition or 
restriction in the data protection legislation that is available where 
there is such a duty or power. 


(4) Subsection (1) does not apply — 
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44 


(a) to an enactment so far as passed or made before the day on 
which section 43 of the Data Protection and Digital Information 
Act 2022 comes into force, or 


(b) to anenactment forming part of the data protection legislation.” 
Miscellaneous 


Regulations under the UK GDPR 
In the UK GDPR, after Chapter 9 insert — 


“CHARTER OA 


Regulations 


Article 91A 
Regulations made by Secretary of State 


1.‘ This Article makes provision about regulations made by the Secretary of 
State under this Regulation (“UK GDPR regulations”). 


2. Before making UK GDPR regulations, the Secretary of State must 
consult — 


(a) the Commissioner, and 
(b) such other persons as the Secretary of State considers appropriate. 


3. Paragraph 2 does not apply to regulations made under Article 49A where 
the Secretary of State has made an urgency statement in respect of them. 


4. UK GDPR regulations may — 
(a) make different provision for different purposes; 


(b) include consequential, supplementary, incidental, transitional, 
transitory or saving provision. 


5. | UK GDPR regulations are to be made by statutory instrument. 


6. For the purposes of this Regulation, where regulations are subject to “the 
negative resolution procedure”, the statutory instrument containing the 
regulations is subject to annulment in pursuance of a resolution of either House 
of Parliament. 


7. For the purposes of this Regulation, where regulations are subject to “the 
affirmative resolution procedure”, the regulations may not be made unless a 
draft of the statutory instrument containing them has been laid before 
Parliament and approved by a resolution of each House of Parliament. 


8. For the purposes of this Regulation, where regulations are subject to “the 
made affirmative resolution procedure” — 
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45 


46 


(1) 


(a) the statutory instrument containing the regulations must be laid 
before Parliament after being made, together with the urgency 
statement in respect of them, and 


(b) the regulations cease to have effect at the end of the period of 120 days 
beginning with the day on which the instrument is made, unless 
within that period the instrument is approved by a resolution of each 
House of Parliament. 


9. In calculating the period of 120 days, no account is to be taken of any 
whole days that fall within a period during which — 


(a) Parliament is dissolved or prorogued, or 
(b) both Houses of Parliament are adjourned for more than 4 days. 


10. Where regulations cease to have effect as a result of paragraph 8, that 
does not — 


(a) affect anything previously done under the regulations, or 
(b) prevent the making of new regulations. 


11. Any provision that may be included in UK GDPR regulations subject to 
the negative resolution procedure may be made by regulations subject to the 
affirmative resolution procedure or the made affirmative resolution 
procedure. 


12. A requirement under this Article to consult may be satisfied by 
consultation before, as well as by consultation after, the provision conferring 
the power to make regulations comes into force. 


13. In this Article, “urgency statement”, in relation to regulations, means a 
reasoned statement that the Secretary of State considers it desirable for the 


regulations to come into force without delay.” 


In section 3(9) of the 2018 Act (definition of “data protection legislation”), in 
paragraph (d), after “Act” insert “or the UK GDPR”. 


Minor amendments 
Schedule 9 contains minor amendments of the UK GDPR and the 2018 Act. 
PART 2 


DIGITAL VERIFICATION SERVICES 
Introductory 


Introductory 


This Part contains provision to secure the reliability of digital verification 
services by means of — 
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) atrust framework (see section 47), 
(b) aregister (see section 48), 

) aninformation gateway (see section 54), and 
(d) a trust mark (see section 57). 


(2) In this Part— 


“digital verification services” means verification services provided to any 
extent by means of the internet, and 


“verification services” means services that are provided at the request of 
an individual and consist in— 


(a) ascertaining or verifying a fact about the individual from 
information provided otherwise than by the individual, and 


(b) confirming to another person that the fact about the individual 
has been ascertained or verified from information so provided. 


DVS trust framework 


47 DVS trust framework 


(1) The Secretary of State must prepare and publish a document setting out rules 
concerning the provision of digital verification services. 


(2) The document is referred to in this Part as the DVS trust framework. 


(3) In preparing the DVS trust framework, the Secretary of State must consult — 
(a) the Information Commissioner, and 
(b) such other persons as the Secretary of State thinks appropriate. 


(4) The requirement in subsection (3) may be satisfied by consultation undertaken 
before the coming into force of this section. 


(5) Atleast every 12 months, the Secretary of State must — 
(a) carry out a review of the DVS trust framework, and 
(b) in doing so, consult the persons mentioned in subsection (3). 


(6) The Secretary of State may revise and republish the DVS trust framework, 
whether following a review under subsection (5) or otherwise. 


(7) The DVS trust framework, and any revised version of the framework, comes 
into force at the time of its publication, unless it specifies a different 
commencement time. 


(8) The DVS trust framework, and any revised version of the framework, may — 
(a) specify different commencement times for different purposes, and 
(b) include transitional provisions and savings. 


DVS register 


48 DVS register 


(1) The Secretary of State must establish and maintain a register of persons 
providing digital verification services. 


(2) The register is referred to in this Part as the DVS register. 
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(3) The Secretary of State must make the DVS register publicly available. 


(4) The Secretary of State must, subject to section 52(9), register a person providing 
digital verification services in the DVS register if — 

(a) the person holds a certificate from an accredited conformity assessment 
body certifying that the digital verification services provided by the 
person are provided in accordance with the DVS trust framework, 

(b) the person applies to be registered in the DVS register in respect of the 
digital verification services to which the certificate relates, 

(c) the application complies with any requirements imposed by a 
determination under section 49, and 


(d) the person pays any fee required to be paid by a determination under 
section 50(1). 


(5) The Secretary of State may not otherwise register a person in the DVS register. 


6) For the purposes of subsection (4)(a), a certificate is to be ignored if — 
Purp & 
(a) it has expired in accordance with its terms, 
(b) it has been withdrawn by the body that issued it, or 


(c) itis required to be ignored by reason of provision included in the DVS 
trust framework under section 53. 


(7) In this section — 


“accredited conformity assessment body” means a conformity assessment 
body that is accredited by the UK national accreditation body in 
accordance with Article 5 of the Accreditation Regulation as competent 
to carry out assessments of whether digital verification services are 
provided in accordance with the DVS trust framework; 


“the Accreditation Regulation” means Regulation (EC) No 765/2008 of 
the European Parliament and of the Council of 9 July 2008 setting out 
the requirements for accreditation and market surveillance relating to 
the marketing of products and repealing Regulation (EEC) No 339/93; 

“conformity assessment body” has the same meaning as in the 
Accreditation Regulation (see Article 2(13) of that Regulation); 


“the UK national accreditation body” means the UK national accreditation 
body for the purposes of Article 4(1) of the Accreditation Regulation. 


49 Applications for registration 


1) The Secretary of State may determine — 
a) the form of an application for registration in the DVS register, 
PP 8 8 


(b) the information to be contained in or provided with an application for 
registration in that register, 


(c) the documents to be provided with an application for registration in 
that register, and 


(d) the manner in which an application for registration in that register is to 
be submitted. 


(2) A determination may make different provision for different purposes. 
(3) The Secretary of State must publish a determination. 


(4) The Secretary of State may revise a determination. 
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(5) If the Secretary of State revises a determination the Secretary of State must 
publish the determination as revised. 


50 __—s‘ Fees for registration 


(1) The Secretary of State may determine that a person who applies for registration in the 
DVS register must pay a fee to the Secretary of State of an amount specified in the 
determination. 


(2) A determination under subsection (1) may specify an amount which exceeds 
the administrative costs of determining an application for registration. 


(3) The Secretary of State may determine that a person who is registered in the 
DVS register must, at times specified in the determination, pay a fee to the 
Secretary of State of an amount specified in the determination. 


(4) A determination under subsection (3) may specify an amount which exceeds 
the administrative costs associated with a person’s continued registration in 
the DVS register. 


A fee payable under subsection (3) is recoverable summarily as a civil debt. 


A determination may make different provision for different purposes. 


(5) 

(6) 

(7) The Secretary of State must publish a determination. 
(8) The Secretary of State may revise a determination. 
(9) 


If the Secretary of State revises a determination the Secretary of State must 
publish the determination as revised. 


51 Duty to remove person from the DVS register 


(1) The Secretary of State must remove a person from the DVS register if the 
person — 


(a) asks to be removed from the register, 


(b) ceases to provide digital verification services in respect of which the 
person is registered in the register, or 


(c) no longer holds a certificate from an accredited conformity assessment 
body certifying that those digital verification services are provided in 
accordance with the DVS trust framework. 


(2) For the purposes of subsection (1)(c), a certificate is to be ignored if — 
(a) it has expired in accordance with its terms, 
(b) it has been withdrawn by the body that issued it, or 


(c) itis required to be ignored by reason of provision included in the DVS 
trust framework under section 53. 


(3) In this section, “accredited conformity assessment body” has the same meaning 
as in section 48 


52 Power to remove person from the DVS register 


(1) The Secretary of State may remove a person from the DVS register if the 
Secretary of State is satisfied that — 
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(10) 


(a) the person is failing to provide digital verification services in respect of 
which the person is registered in accordance with DVS trust 
framework, or 

(b) the person has failed to provide the Secretary of State with information 
in accordance with a notice under section 58. 


Before removing a person from the DVS register under this section the 
Secretary of State must, by written notice, inform the person that the Secretary 
of State intends to do so. 


The notice must — 
(a) state the name and address of the person, 
(b) state the reason why the Secretary of State is satisfied that the person is 
failing or has failed as mentioned in subsection (1), 
(c) state the period the Secretary of State intends to specify in the notice 
under subsection (8), 
(d) state that the person may make written representations to the Secretary 
of State about — 
(i) the Secretary of State’s intention to remove the person from the 
DVS register, and 
(ii) the period the Secretary of State intends to specify in the notice 
under subsection (8), and 
(e) specify the period within which such representations may be made. 


The period specified for making written representations must be a period of 
not less than 21 days beginning with the day the notice is given. 


If the Secretary of State considers that it is appropriate for the person to have 
an opportunity to make oral representations about the matters mentioned in 
subsection (3)(d), the notice must also — 

(a) state that the person may make such representations, and 


(b) specify the arrangements for making such representations and the time 
at which, or the period within which, they may be made. 


The Secretary of State may not remove the person from the DVS register before 
a time, or before the end of a period, specified in the notice for making oral or 
written representations. 


When deciding whether to remove the person from the DVS register, the 
Secretary of State must consider any oral or written representations made by 
the person in accordance with the notice. 


Where the Secretary of State removes the person from the DVS register, the 
Secretary of State must by written notice inform the person — 
(a) that the person has been removed from the register, and 
(b) that any application for re-registration made by the person during a 
period specified in the notice must be refused. 


If the person applies to be re-registered during the period specified in the 
notice under subsection (8)(b) the Secretary of State must refuse the 
application. 


The period specified in the notice under subsection (8)(b) must begin with the 
day the notice is given and must not exceed two years. 
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53 Revising the DVS trust framework: top-up certificates 


(1) This section applies where the Secretary of State revises and republishes the 
DVS trust framework and the revisions include — 


(a) the addition of a rule, or 
(b) the alteration of an existing rule. 


(2) The DVS trust framework may provide that, on and after a specified date, a 
pre-revision certificate is required to be ignored for the purposes of section 
48(4)(a) and 51(1)(c), unless the person holding the certificate also holds a top- 
up certificate from an accredited conformity assessment body. 


(3) In this section— 
“accredited conformity assessment body” has the same meaning as in 
section 48; 


“pre-revision certificate” means a certificate issued before the time the 
additional rule or (as the case may be) the alteration of the existing rule 
comes into force; 


“top-up certificate” means a certificate certifying that the digital 
verification services provided by the holder of the certificate are 
provided in accordance with the additional rule or (as the case may be) 
the existing rule, as altered; 


“specified” means specified in the DVS trust framework. 
Information gateway 


54 Power of public authority to disclose information to registered person 


(1) This section applies where — 
(a) aperson is registered in the DVS register, and 


(b) an individual makes a request to the person for the provision of digital 
verification services in respect of which the person is registered. 


(2) A public authority may disclose to the person information relating to the 
individual for the purpose of enabling the person to provide the digital 
verification services for the individual. 


(3) A disclosure of information under this section does not breach — 
(a) any obligation of confidence owed by the public authority making the 
disclosure, or 
(b) any other restriction on the disclosure of information (however 
imposed). 


(4) But this section does not authorise a disclosure of information which— 

(a) would contravene the data protection legislation (but in determining 
whether a disclosure would do so, the power conferred by this section 
is to be taken into account), or 

(b) is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the 
Investigatory Powers Act 2016. 


(5) This section does not authorise a public authority to disclose information 
obtained by the authority otherwise than in connection with the exercise by the 
authority of functions of a public nature. 
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(6) This section does not affect a power to disclose information that exists apart 
from this section. 


(7) A public authority may charge a person fees in respect of the disclosure to the 
person of information under this section. 


(8) In this section— 
“data protection legislation” has the same meaning as in the 2018 Act (see 
section 3 of that Act); 
“public authority” means a person exercising functions of a public nature. 


55 Information disclosed by the Revenue and Customs 


(1) This section applies where the Revenue and Customs disclose personal 
information to a person under section 54 for the purpose of enabling the person 
to provide digital verification services for an individual. 


(2) The person must not further disclose the information otherwise than for the 
purpose of providing digital verification services for the individual, except 
with the consent of the Commissioners for Her Majesty’s Revenue and 
Customs. 


(3) Any other person who receives the information, whether directly or indirectly 
from the person to whom the Revenue and Customs disclose the information, 
must not further disclose the information, except with the consent of the 
Commissioners for Her Majesty’s Revenue and Customs. 


(4) Ifa person discloses information in contravention of this section, section 19 of 
the Commissioners for Revenue and Customs Act 2005 (offence of wrongful 
disclosure) applies in relation to that disclosure as it applies in relation to a 
disclosure of information in contravention of section 20(9) of that Act. 


(5) In this section— 
“personal information” means information relating to a person whose 
identity — 
(a) is specified in the information, or 
(b) can be deduced from it; 


“the Revenue and Customs” has the meaning given by section 17(3) of the 
Commissioners for Revenue and Customs Act 2005. 


56 Code of practice about the disclosure of information 


(1) The Secretary of State must prepare and publish a code of practice about the 
disclosure of information under section 54. 


(2) The code of practice must be consistent with the code of practice prepared 
under section 121 of the 2018 Act (data-sharing code) and issued under section 
125(4) of that Act (as altered or replaced from time to time). 


(3) A public authority must have regard to the code of practice in disclosing 
information under section 54. 


(4) The Secretary of State may from time to time revise and republish the code of 
practice. 


(5) In preparing or revising the code of practice, the Secretary of State must 
consult — 
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(a) the Information Commissioner, and 
(b) such other persons as the Secretary of State thinks appropriate. 


(6) The requirement in subsection (5) may be satisfied by consultation undertaken 
before the coming into force of this section. 


(7) The Secretary of State may not publish the first version of the code of practice 
unless a draft of the code has been laid before, and approved by a resolution 
of, each House of Parliament. 


(8) The Secretary of State may not republish the code of practice following its 
revision unless — 
(a) a draft of the code as revised has been laid before each House of 
Parliament, and 
(b) the 40-day period has expired without either House of Parliament 
resolving not to approve the draft. 


(9) “The 40-day period” means — 
(a) the period of 40 days beginning with the day on which the draft is laid 
before Parliament, or 
(b) if the draft is not laid before each House on the same day, the period of 
40 days beginning with the later of the days on which it is laid before 
Parliament. 


(10) In calculating the 40-day period, no account is to be taken of any whole days 
that fall within a period during which Parliament is dissolved or prorogued or 
during which both Houses are adjourned for more than 4 days. 


(11) In this section, “public authority” means a person exercising functions of a 
public nature. 


Trust mark 


57 ‘Trust mark for use by registered persons 


(1) The Secretary of State may designate a mark for use in the course of providing, 
or offering to provide, digital verification services. 


(2) A mark designated under this section must be published by the Secretary of 
State. 


(3) A mark designated under this section may not be used by a person in the 
course of providing, or offering to provide, digital verification services unless 
the person is registered in the DVS register in respect of those digital 
verification services. 


(4) The Secretary of State may enforce subsection (3) in civil proceedings for an 
injunction or, in Scotland, an interdict. 


Supplementary 


58 Power of Secretary of State to require information 


1) The Secretary of State may by written notice require — 
y Oy q 
(a) anaccredited conformity assessment body, or 
(b) aperson registered in the DVS register, 
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to provide the Secretary of State with information that the Secretary of State 
reasonably requires for the purposes of the exercise of the Secretary of State’s 
functions under this Part. 


A notice under this section must state why the information is required for the 
purposes of the exercise of those functions. 


A notice under this section — 
(a) may specify or describe particular information or a category of 
information; 
(b) may specify the form in which the information must be provided; 


(c) may specify the time at which, or the period within which, the 
information must be provided; 


(d) may specify the place where the information must be provided. 


A notice under this section that is given to a person registered in the DVS 
register must provide information about the consequences under section 52 of 
failure to comply with the notice. 


The Secretary of State may cancel a notice under this section by notice to the 
person to whom it was given. 


A disclosure of information required by a notice under this section does not 
breach— 
(a) any obligation of confidence owed by the person making the 
disclosure, or 
(b) any other restriction on the disclosure of information (however 
imposed). 


But a notice under this section does not require a disclosure of information if 
the disclosure — 

(a) would contravene section 55, 

(b) would contravene the data protection legislation (but in determining 
whether a disclosure would do so, the duty imposed by the notice is to 
be taken into account), or 

(c) is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the 
Investigatory Powers Act 2016. 


A notice under this section does not require a person to provide the Secretary 
of State with information in respect of a communication which is made — 
(a) between a professional legal adviser and the adviser’s client, and 
(b) in connection with the giving of legal advice to the client with respect 
to obligations, liabilities or rights under this Part. 


In subsection (8) references to the client of a professional legal adviser include 
references to a person acting on behalf of the client. 


A notice under this section does not require a person to provide the Secretary 
of State with information if doing so would, by revealing the commission of an 
offence expose the person to proceedings for that offence. 


The reference to an offence in subsection (10) does not include an offence 
under — 
(a) section 5 of the Perjury Act 1911 (false statements made otherwise than 
on oath); 
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(b) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 
(false statements made otherwise than on oath); 


(c) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 
(N.I. 19)) (false statutory declarations and other false unsworn 
statements). 


(12) In this section— 
“accredited conformity assessment body” has the same meaning as in 
section 48; 


“data protection legislation” has the same meaning as in the 2018 Act (see 
section 3 of that Act). 


59 Arrangements for third party to exercise functions 


(1) The Secretary of State may make arrangements for a person prescribed by 
regulations under this section to exercise functions of the Secretary of State 
under this Part (and where arrangements are made, references in this Part to 
the Secretary of State are to be read accordingly). 


(2) Arrangements under this section may — 
(a) provide for the Secretary of State to make payments to the person, and 
(b) make provision as to the circumstances in which any such payments 
are to be repaid to the Secretary of State. 


(3) Regulations under this section are subject to the affirmative resolution 
procedure. 


60 Report on the operation of this Part 


(1) The Secretary of State must prepare and publish reports on the operation of 
this Part. 


(2) The first report must be published within the period of 12 months beginning 
with the day on which section 47 comes into force. 


(3) The reports must be published not more than 12 months apart. 
PART 3 


CUSTOMER DATA AND BUSINESS DATA 


61 Customer data and business data 


(1) This Part confers powers on the Secretary of State and the Treasury to make 
provision in connection with access to customer data and business data. 


(2) In this Part— 
“business data”, in relation to a trader, means — 

(a) information about goods, services and digital content supplied 
or provided by the trader, 

(b) information relating to the supply or provision of goods, 
services and digital content by the trader (such as, for example, 
information about where they are supplied, the terms on which 
they are supplied or provided, prices or performance), 
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(c) information relating to feedback from customers about the 
goods, services or digital content, and 


(d) information relating to the provision of business data to a 
person in accordance with data regulations; 


“customer data” means information relating to a customer of a trader, 


including — 
(a) information relating to transactions between a customer and the 
trader, and 


(b) information relating to the provision of customer data to a 
person in accordance with data regulations; 
“data holder”, in relation to customer data or business data of a trader, 
means — 
(a) the trader, or 
(b) a person who, in the course of a business, processes the data; 
“data regulations” means regulations under section 62 or 64; 


“trader” means a person who supplies or provides goods, services or 
digital content in the course of a business, whether acting personally or 
through another person acting in the trader’s name or on the trader’s 
behalf. 


(3) For the purposes of this Part, a person (“C”) is a customer of a trader (“T”) if— 
(a) Chas at any time purchased goods, services or digital content supplied 
or provided by T (whether for use by C or another person) or received 
such goods, services or digital content free of charge from T, and 
(b) the purchase or receipt occurred — 
(i) otherwise than in the course of a business, or 
(ii) in the course of a business of a description specified by the 
Secretary of State or the Treasury by regulations. 


(4) In subsection (3)(a), the reference to a purchase made at any time includes a 
purchase made before this section comes into force. 


(5) In this Part— 

(a) a reference to providing customer data or business data to a person 
includes a reference to providing the person with access to such data or 
with the ability to provide other persons with access to such data, and 

(b) a reference to a person receiving customer data or business data 
includes a reference to a person obtaining access to such data or the 
ability to provide other persons with access to such data. 


62 Power to make provision in connection with customer data 


(1) The Secretary of State or the Treasury may by regulations make provision 
requiring a data holder to provide customer data— 
(a) tothe customer, at the customer’s request, or 
(b) toa person who is authorised by the customer to receive the data (an 
“authorised person”), at the customer’s request or at the authorised 
person’s request. 


(2) The Secretary of State or the Treasury may by regulations make provision 
enabling or requiring a data holder — 
(a) to produce, collect or retain, or arrange for the production, collection or 
retention of, customer data; 
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(1) 


(2) 


(5) 


(b) to make changes to customer data, including to require rectification of 
inaccurate customer data, at the request of a customer or authorised 
person. 


The Secretary of State or the Treasury may by regulations make provision for 
an authorised person who receives customer data at a customer’s request to 
exercise, on the customer’s behalf, some or all of the customer’s rights in 
relation to a person who is, or has been, a data holder in relation to the 
customer data. 


In deciding whether to make regulations under this section, the Secretary of 
State or the Treasury must have regard to (among other things) — 

(a) the likely effects for existing and future customers, 

(b) the likely effects for data holders, 

(c) the likely effect on small businesses and micro businesses, 

(d) the likely effect on innovation in the supply or provision of goods, 
services and digital content affected by the regulations or other goods, 
services and digital content, and 

(e) the likely effect on competition in markets for goods, services and 
digital content affected by the regulations or other markets. 


Customer data: supplementary 


This section is about provision that regulations under section 62 may (among 
other things) contain. 


The regulations may make provision about requests relating to customer data, 
including provision about the circumstances in which a data holder may or 
must refuse to act on a request. 


The regulations may make provision about the procedure by which customers 
authorise persons to receive, or act on their behalf in relation to, customer data, 
including — 

(a) provision restricting the persons that may be authorised to persons that 
comply with specified conditions or conditions imposed by a specified 
person; 

(b) provision for a specified person (a “decision-maker’”) to decide whether 
a person satisfies the conditions for authorisation (and see section 66 for 
further provision about decision-makers). 


The regulations may make provision about the providing of customer data and 
the exercising of customer rights, including — 

(a) provision requiring customer data to be provided on one or more 
occasions, for a specified period or at specified intervals; 

(b) provision requiring the use of specified facilities or services, including 
dashboard services, other electronic communications services or 
application programme interfaces; 

(c) provision requiring a data holder to participate in, or comply with, 
arrangements for establishing, maintaining or managing such facilities 
or services; 

(d) provision requiring a data holder to provide, or arrange for, assistance 
in connection with the establishment, maintenance or management of 
such facilities or services. 


The regulations may include — 
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(a) 


(b) 


provision enabling or requiring a data holder to produce, collect or 
retain, or arrange for the production, collection or retention of, records 
of customer data provided in accordance with the regulations; 
provision enabling or requiring an authorised person to produce or 
retain, or arrange for the production or retention of, records of 
customer data received in accordance with the regulations. 


(10) 


The regulations may make provision requiring a person who, in the course of 
a business, processes customer data of a trader to assist, or take specified steps 
to assist, the trader in complying with regulations under this Part. 


The regulations may make provision about the processing of customer data 
provided to an authorised person in accordance with the regulations, 
including — 

(a) provision requiring the use of specified facilities or services, including 
dashboard services, other electronic communications services or 
application programme interfaces; 

(b) provision requiring the authorised person to participate in, or comply 
with, arrangements for establishing, maintaining or managing such 
facilities or services; 

(c) provision requiring the authorised person to provide, or arrange for, 
assistance in connection with the establishment, maintenance or 
management of such facilities or services; 

(d) provision about further disclosure of the data, including provision for 
a person to whom customer data is further disclosed to be subject to— 

(i) some or all of the obligations imposed on an authorised person 
by the regulations in relation to the customer data; 


(ii) conditions imposed by the authorised person. 


The regulations may make provision enabling or requiring a data holder or an 
authorised person to publish specified information relating to the rights and 
obligations of persons under the regulations, including — 
(a) information about the rights of customers in relation to customer data 
processed by the data holder or authorised person; 
(b) information about the activities carried out by the data holder or 
authorised person in performance of their obligations under the 
regulations. 


The regulations may make provision about complaints, including provision 
requiring data holders, authorised persons or decision-makers to implement 
procedures for the handling of complaints. 


The regulations may make provision about procedures for the resolution of 
disputes, including — 
(a) provision appointing, or providing for the appointment of, a person to 
determine disputes; 
(b) provision about the person’s powers when determining disputes; 
(c) provision about the effect of decisions relating to disputes; 
(d) provision for the person to review the person’s decisions relating to 
disputes; 
(e) provision about appeals to a court or tribunal. 
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(1) 


65 
(1) 


(2) 


Power to make provision in connection with business data 


The Secretary of State or the Treasury may by regulations make provision 
requiring a data holder to publish business data or to provide business data on 
request — 

(a) toacustomer of the trader, or 

(b) to another person of a specified description (a “third party recipient’). 


The Secretary of State or the Treasury may by regulations make provision 
enabling or requiring a data holder to produce, collect or retain, or arrange for 
the production, collection or retention of, business data. 


In deciding whether to make regulations under this section, the Secretary of 
State or the Treasury must have regard to (among other things) — 


(a) the likely effects for existing and future customers, 
(b) the likely effects for data holders, 
(c) the likely effect on small businesses and micro businesses, 

) the likely effect on innovation in the supply or provision of goods, 
services and digital content affected by the regulations or other goods, 
services and digital content, and 
(e) the likely effect on competition in markets for goods, services and 

digital content affected by the regulations or other markets. 


Business data: supplementary 


This section is about provision that regulations under section 64 may (among 
other things) contain. 


The regulations may make provision about requests for business data, 
including — 
(a) provision for requests to be made by a customer, a third party recipient 
or another person; 
(b) provision about the circumstances in which a data holder may or must 
refuse to act on a request. 


The regulations may make provision requiring business data to be provided to 
persons approved to receive it (“approved persons’), including — 

(a) provision restricting the persons that may be approved to persons that 
comply with specified conditions or conditions imposed by a specified 
person; 

(b) provision for a specified person (a “decision-maker’”) to decide whether 
a person satisfies the conditions for approval (and see section 66 for 
further provision about decision-makers). 


The regulations may make provision about the providing or publishing of 
business data, including — 

(a) provision requiring business data to be provided or published on one 
or more occasions, for a specified period or at specified intervals; 

(b) provision requiring the use of specified facilities or services, including 
dashboard services, other electronic communications services or 
application programme interfaces; 

(c) provision requiring a data holder to participate in, or comply with, 
arrangements for establishing, maintaining or managing such facilities 
or services; 
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(10) 


(d) provision requiring a data holder to provide, or arrange for, assistance 
in connection with the establishment, maintenance or management of 
such facilities or services. 


The regulations may include — 

(a) provision enabling or requiring a data holder to produce, collect or 
retain, or arrange for the production, collection or retention of, records 
of business data provided in accordance with the regulations; 

(b) provision enabling or requiring a third party recipient to produce or 
retain, or arrange for the production or retention of, records of business 
data received in accordance with the regulations. 


The regulations may make provision requiring a person who, in the course of 
a business, processes business data of a trader to assist, or take specified steps 
to assist, the trader in complying with regulations under this Part. 


The regulations may make provision about the processing of business data 
provided to a person in accordance with the regulations, including — 

(a) provision requiring the use of specified facilities or services, including 
dashboard services, other electronic communications services or 
application programme interfaces; 

(b) provision requiring the person to participate in, or comply with, 
arrangements for establishing, maintaining or managing such facilities 
or services; 

(c) provision requiring the person to provide, or arrange for, assistance in 
connection with the establishment, maintenance or management of 
such facilities or services; 


(d) provision about further disclosure of the data, including provision for 
a person to whom business data is further disclosed to be subject to 
some or all of the obligations imposed on customers or third party 
recipients by the regulations in relation to the business data. 


The regulations may make provision enabling or requiring a data holder or an 
approved person to publish specified information relating to the rights and 
obligations of persons under the regulations, including information about the 
activities carried out by the data holder or approved person in performance of 
their obligations under the regulations. 


The regulations may make provision about complaints, including provision 
requiring data holders or decision-makers to implement procedures for the 
handling of complaints. 


The regulations may make provision about procedures for the resolution of 
disputes, including — 
(a) provision appointing, or providing for the appointment of, a person to 
determine disputes; 
(b) provision about the person’s powers when determining disputes; 
(c) provision about the effect of decisions relating to disputes; 
(d) provision for the person to review the person’s decisions relating to 
disputes; 
(e) provision about appeals to a court or tribunal. 
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66 


67 
(1) 


Decision-makers 


This section is about the provision about decision-makers that regulations 
under section 62 or 64 must or may (among other things) contain. 


The regulations may make provision about the appointment of a decision- 
maker. 


The regulations may make provision enabling or requiring a decision-maker to 
suspend or revoke a decision. 


The regulations may confer powers on a decision-maker for the purpose of 
monitoring compliance with conditions for authorisation or approval 
(“monitoring powers”) (and see section 67 for provision about enforcement of 
requirements imposed in exercise of those powers). 


The powers that may be conferred under subsection (4) include powers to 
require the provision of information (but such powers are subject to the 
restrictions in section 68 as well as any restrictions included in the regulations). 


The regulations must make provision about the rights of persons affected by 
the exercise of a decision-maker’s functions under the regulations and such 
provision may include (among other things) — 
(a) provision for decisions to be reviewed by the decision-maker or a 
specified person; 
(b) provision about appeals to a court or tribunal. 


The regulations may make provision enabling or requiring a decision-maker to 
publish, or provide to a specified person, specified information relating to the 
exercise of the decision-maker’s functions. 


The regulations may make provision for a decision-maker to arrange for its 
monitoring powers to be carried out by a specified person. 


The regulations may — 
(a) provide for functions under the regulations to be exercisable by more 
than one decision-maker (whether concurrently or jointly); 
(b) where functions of decision-makers are exercisable concurrently — 
(i) provide for one of the decision-makers to be the lead decision- 
maker; 
(ii) require the other decision-makers to consult the lead decision- 
maker before exercising the functions in a particular case; 


(iii) authorise the lead decision-maker to give directions as to which 
decision-maker is to exercise a function in a particular case. 


The regulations may make provision enabling or requiring a decision-maker to 
produce and publish guidance about how it proposes to exercise its functions 
under the regulations (including provision enabling or requiring decision- 
makers with functions exercisable jointly or concurrently to produce joint 
guidance). 


Enforcement of data regulations 


The Secretary of State or the Treasury may by regulations make provision— 
(a) for the enforcement of data regulations, and 


(b) for the enforcement of requirements imposed in exercise of a power 
conferred by regulations under this Part, 
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(2) 


including provision for enforcement by a specified public body (an “enforcer”). 


The following subsections and sections 68 and 69 make provision about what 
regulations under subsection (1) may or must (among other things) contain. 


The regulations may confer powers of investigation on an enforcer, 
including — 

(a) powers to require the provision of information, and 

(b) powers of entry, inspection, search and seizure, 


but such powers are subject to the restrictions in section 68 (as well as any 
restrictions included in the regulations). 


The regulations may — 
(a) make provision enabling an enforcer to issue a notice (“a compliance 
notice”) requiring compliance with — 
(i) data regulations; 
(ii) a condition for authorisation or approval imposed by a 
decision-maker; 
(iii) a requirement imposed in the exercise of a power conferred by 
regulations under this Part; 

(b) make provision for the enforcement of compliance notices, including 
provision for their enforcement as if they were orders of a court or 
tribunal; 

(c) make provision enabling an enforcer to publish a statement to the effect 
that the enforcer considers that a person is not complying with data 
regulations or a compliance notice. 


The regulations may make provision creating offences punishable with a fine 
(or a fine not exceeding an amount specified in the regulations) in respect of — 
(a) the provision of false or misleading information in response to a 
request made in accordance with regulations under this Part; 
(b) anact or omission (including falsification) which prevents an enforcer 
or a decision-maker from accessing information, documents, 
equipment or other material. 


The regulations may make provision enabling a financial penalty to be 
imposed by an enforcer in respect of — 
(a) the provision of false or misleading information in response to a 
request made in accordance with regulations under this Part; 
(b) a failure to comply with a requirement imposed by data regulations; 
(c) afailure to comply with a requirement imposed by a compliance notice; 
and see section 69 for further provision about financial penalties. 


The regulations may make provision about the rights of persons affected by the 
exercise of an enforcer’s functions under the regulations, including — 
(a) provision about the review of a decision made in exercise of those 
functions; 
(b) provision about appeals to a court or tribunal. 


The regulations may make provision about complaints, including provision 
requiring an enforcer to implement procedures for the handling of complaints. 


The regulations may make provision enabling or requiring an enforcer to 
publish, or to provide to a specified person, specified information relating to 
enforcement under the regulations, including — 
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(a) information about the exercise of the enforcer’s functions, either 
generally or in relation to a particular case, and 


(b) information about convictions for offences. 


(10) The regulations may make provision for an enforcer to arrange for its powers 
of investigation under the regulations to be carried out by a specified person. 


(11) The regulations may — 


(a) provide for functions under the regulations to be exercisable by more 
than one enforcer (whether concurrently or jointly); 


(b) where functions of enforcers are exercisable concurrently — 
(i) provide for one of the enforcers to be the lead enforcer; 
(ii) require the other enforcers to consult the lead enforcer before 
exercising the functions in a particular case; 
(iii) authorise the lead enforcer to give directions as to which 
enforcer is to exercise a function in a particular case. 


(12) The regulations may make provision enabling or requiring an enforcer to 
produce and publish guidance about how it proposes to exercise its functions 
under the regulations (including provision enabling or requiring enforcers 
with functions exercisable jointly or concurrently to produce joint guidance). 


68 Restrictions on powers of investigation etc 


(1) Regulations under this Part may not— 
(a) authorise entry to a private dwelling without a warrant issued by a 
justice, or 
(b) require a person to provide information within subsections (2) to (7) to 
a decision-maker or an enforcer. 


(2) Information is within this subsection if requiring a person to provide the 
information would involve an infringement of the privileges of either House of 
Parliament. 


(3) Information is within this subsection if it is information in respect of a 
communication which is made — 
(a) between a professional legal adviser and the adviser’s client, and 


(b) in connection with the giving of legal advice to the client with respect 
to obligations, liabilities or rights under data regulations. 


(4) Information is within this subsection if it is information in respect of a 
communication which is made — 
(a) between a professional legal adviser and the adviser’s client or between 
such an adviser or client and another person, 
(b) in connection with or in contemplation of proceedings under or arising 
out of data regulations, and 
(c) for the purposes of such proceedings. 


(5) Insubsections (3) and (4), references to the client of a professional legal adviser 
include references to a person acting on behalf of the client. 


(6) Information is within this subsection if requiring a person to provide the 
information would, by revealing evidence of the commission of an offence, 
expose the person to proceedings for that offence. 
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(7) The reference to an offence in subsection (6) does not include an offence 
under — 

(a) regulations made under this Part; 

(b) section 5 of the Perjury Act 1911 (false statements made otherwise than 
on oath); 

(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 
(false statutory declarations and other false unsworn statements); 

(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 
(N.I. 19)) (false statutory declarations and other false unsworn 
statements). 


(8) Anoral or written statement provided by a person in response to a request for 
information made by a decision-maker or an enforcer in accordance with 
regulations under this Part may not be used in evidence against that person on 
a prosecution for an offence (other than an offence under regulations made 
under this Part) unless in the proceedings — 

(a) in giving evidence the person provides information inconsistent with 
the statement, and 

(b) evidence relating to the statement is adduced, or a question relating to 
it is asked, by that person or on that person‘s behalf. 


(9) In this section “justice” means — 
(a) in England and Wales, a justice of the peace, 
(b) in Scotland, a sheriff or summary sheriff, and 
(c) in Northern Ireland, a lay magistrate. 


69 _—_—‘ Financial penalties 


1) This section is about provision that regulations under this Part conferrin: 
E & & 
power on an enforcer to impose a financial penalty may or must (among other 
things) contain. 


(2) The amount of a financial penalty must be specified in, or determined in 
accordance with, the regulations. 


(3) The regulations must include provision — 

(a) requiring an enforcer to issue guidance about how the enforcer 
proposes to exercise any discretion to determine the amount of a 
financial penalty and to have regard to such guidance in exercising its 
discretion; 

(b) requiring an enforcer, before imposing a financial penalty on a person, 
to give the person written notice (a “notice of intent”) of the proposed 
financial penalty; 

(c) ensuring that the person is given an opportunity to make 
representations about the proposed financial penalty; 

(d) requiring the enforcer, after the period for making representations, to 
decide whether to impose the financial penalty; 

(e) requiring the enforcer, if they decide to impose the financial penalty, to 
give the person notice in writing (a “final notice”) imposing the penalty; 

(f) enabling a person on whom a financial penalty is imposed to appeal to 
a court or tribunal in accordance with the regulations; 

(g) as to the powers of the court or tribunal on such an appeal. 


(4) The regulations may include provision— 
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(a) enabling a notice of intent or final notice to be withdrawn or amended; 

(b) requiring an enforcer to withdraw a final notice in circumstances 
specified in the regulations; 

(c) for a financial penalty to be increased by an amount specified in or 
determined in accordance with the regulations in the event of late 
payment; 

(d) as to how financial penalties are recoverable. 


70 Fees 


(1) The Secretary of State or the Treasury may by regulations — 


(a) make provision enabling a person listed in subsection (2), or a person acting on 
their behalf, to require other persons to pay fees for the purpose of meeting 
expenses incurred, or to be incurred, in performing duties, or exercising 
powers, imposed or conferred by regulations under this Part, and 


(b) make provision about how amounts paid as fees must or may be used. 


(2) Those persons are— 
(a) data holders; 
(b) decision-makers; 
(c) enforcers; 
) other persons on whom duties are imposed, or powers are conferred, 
by regulations under this Part. 


(3) Regulations under subsection (1) — 


(a) may only provide for a fee to be payable by persons that appear to the 
Secretary of State or the Treasury to be capable of being directly 
affected by the performance of duties, or the exercise of powers, 
imposed or conferred by regulations under this Part; 


(b) may provide for the amount of a fee to be an amount which is intended 
to exceed the cost of anything in respect of which the fee is charged. 


(4) Regulations under subsection (1) must provide for the amount of a fee to be — 


(a) a specified amount or an amount determined in accordance with the 
regulations, or 


(b) anamount not exceeding such an amount. 


(5) Regulations under subsection (1) specifying the amount, or maximum amount, 
of a fee may provide for the amount to increase at specified times and by 
amounts determined in accordance with the regulations. 


(6) Regulations under subsection (1) enabling a person to determine the amount 
of a fee must require the person to publish information about the amount and 
how it is determined. 


(7) Regulations under subsection (1) may (among other things) make provision 
about — 


(a) interest on any unpaid amounts; 
(b) the recovery of unpaid amounts. 


71 Levy 
(1) The Secretary of State or the Treasury may by regulations — 
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(a) impose, or provide for a specified public body to impose, a levy on data holders 
for the purpose of meeting all or part of the expenses incurred, or to be incurred, 
during a period by decision-makers or enforcers or by persons acting on their 
behalf, and 

(b) make provision about how funds raised by means of the levy must or 
may be used. 


(2) Regulations under subsection (1) may only provide for a levy in respect of 
expenses of decision-makers or enforcers to be imposed on data holders that 
appear to the Secretary of State or the Treasury to be capable of being directly 
affected by the exercise of some or all of the functions conferred on the 
decision-makers or enforcers by regulations under this Part. 


(3) Regulations under subsection (1) providing for a specified public body to 
impose a levy must — 
(a) make provision about how the rate of the levy is to be determined; 
(b) make provision about how the period in respect of which the levy is 
payable is to be determined; 
(c) require the body to publish information about the rate, the period and 
how they are determined. 


(4) Regulations under subsection (1) may (among other things) make provision 
about — 
(a) interest on any unpaid amounts payable by way of a levy; 
(b) the recovery of such unpaid amounts. 


72 Financial assistance 


(1) The Secretary of State or the Treasury may give financial assistance to a person 
for the purpose of meeting any expenses incurred, or to be incurred, by the 
person in performing duties or exercising powers under, or in connection with, 
regulations made under this Part. 


(2) But subsection (1) does not enable financial assistance to be provided to data 
holders, customers, authorised persons or approved persons. 


(3) The financial assistance may be given on such terms and conditions as the 
Secretary of State or the Treasury considers appropriate. 


(4) In this section, “financial assistance” means any kind of financial assistance 
whether actual or contingent, including a grant, loan, guarantee or indemnity, 
but does not include buying a company’s share capital. 


73 Confidentiality and data protection 


(1) Except as provided by subsection (2), regulations under this Part may provide 
for the processing of information in accordance with the regulations not to be 
in breach of — 

(a) any obligation of confidence owed by the person processing the 
information, or 

(b) any other restriction on the processing of information (however 
imposed). 


(2) Regulations under this Part are not to be read as authorising or requiring 
processing of personal data that would contravene the data protection 
legislation (but in determining whether particular processing of data would do 
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74 
(1) 


so, take into account the power conferred or duty imposed by the provision of 
the regulations in question). 


Regulations under this Part 


Regulations under this Part may (among other things) — 

(a) make provision generally or in relation to particular cases; 

(b) make different provision for different purposes or areas; 

(c) make provision about the form and manner in which things must or 
may be done; 

(d) make provision about the content of requests, notices or other 
documents; 

(e) make provision about the time by which, or period within which, 
things must or may be done; 

(f) make provision by reference to specifications or technical requirements 
published from time to time by a specified person; 

(g) confer functions on a person, including functions involving the exercise 
of a discretion; 

(h) make incidental, supplementary, consequential, transitory, transitional 
or saving provision. 


Regulations under this Part making the following types of provision may 
amend or repeal primary legislation — 
(a) provision about the handling of complaints; 
(b) provision about the resolution of disputes; 
(c) provision about appeals; 
(d) provision described in subsection (1)(h). 


The following regulations under this Part are subject to the affirmative 
resolution procedure — 
(a) the first regulations under each of section 62(1), (2) and (3) making 
provision about a particular description of customer data, 
(b) the first regulations under each of section 64(1) and (2) making 
provision about a particular description of business data, 
(c) regulations under section 62 or 64 which make the requirements of 
regulations under this Part more onerous for data holders, 
(d) regulations under section 66(4), 67, 70 or 71, and 
(e) regulations which amend or repeal primary legislation. 


Other regulations under this Part are subject to the negative resolution 
procedure. 


Any provision that may be included in regulations under this Part subject to 
the negative resolution procedure may be made by regulations subject to the 
affirmative resolution procedure. 


Before making regulations which make provision described in subsection (3), 
the Secretary of State or the Treasury (as the case may be) must consult such of 
the following as the Secretary of State or the Treasury considers appropriate — 


(a) persons likely to be affected by the regulations; 


(b) sectoral regulators with functions in relation to data holders affected by 
the regulations. 


In this section, “primary legislation” means — 
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an Act of Parliament; 


—a 
fe) 


) 
(b) an Act of the Scottish Parliament; 
(c) a Measure or Act of Senedd Cymru; 
(d) Northern Ireland legislation; 
(e) retained direct principal EU legislation. 


75 Duty to review regulations 


(1) The relevant person must review data regulations for the time being in force — 
(a) before the end of the period of 5 years beginning with the day on which 
the regulations come into force, and 


(b) at subsequent intervals not exceeding 5 years. 


(2) Incarrying out the review, the relevant person must have regard to the matters 
to which the relevant person was required to have regard in deciding whether 
to make the regulations (see sections 62(4) and 64(3)). 


(3) The relevant person must prepare and publish a report setting out the findings 
of the review. 


(4) The relevant person may omit material from a report under this section before 
publication if the relevant person thinks the publication of that material — 
(a) would contravene the data protection legislation, or 
(b) might harm the commercial interests of any person. 


(5) The relevant person must lay a copy of any report published under this section 
before Parliament. 


6) In this section, “relevant person” means — 
Pp 
(a) inthe case of regulations made by the Treasury, the Treasury, and 
(b) otherwise, the Secretary of State. 


76 Repeal of provisions relating to supply of customer data 


(1) Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 
(supply of customer data). 


77 Interpretation of this Part 


In this Part — 

“application programme interface” has the meaning given by section 74(3) 
of the Communications Act 2003; 

“approved person” has the meaning given by section 65(3); 

“authorised person” has the meaning given by section 62(1)(b); 

“dashboard service” means an electronic communications service by 
means of which information may be requested by and provided to a 
person; 

“the data protection legislation” has the same meaning as in the Data 
Protection Act 2018 (see section 3(9) of that Act); 

“decision-maker” means a person who is a decision-maker described in 
section 63(3)(b) or 65(3)(b); 

“digital content” means data which is produced and supplied in digital 
form; 
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“electronic communications service” has the meaning given by section 32 
of the Communications Act 2003; 


“enforcer” has the meaning given by section 67(1); 


“micro business” has the meaning given by section 33 of the Small 
Business, Enterprise and Employment Act 2015, read with any 
regulations under that section; 


“personal data” has the same meaning as in the Data Protection Act 2018 
(see section 3(2) of that Act); 


“processing” has the same meaning as in that Act (see section 3(4) of that 
Act) and related terms are to be interpreted accordingly; 


“public body” means a body or other person whose functions — 
(a) are ofa public nature, or 
(b) include functions of that nature, 


but in the latter case, the body or person is a public body to the extent 
only of those functions; 


“small business” has the meaning given by section 33 of the Small 
Business, Enterprise and Employment Act 2015, read with any 
regulations under that section; 


“specified” means specified, or of a description specified, by regulations 
under this Part; 


“third party recipient” has the meaning given by section 64(1)(b). 
PART 4 


OTHER PROVISION ABOUT DIGITAL INFORMATION 
Privacy and electronic communications 


78 The PEC Regulations 


In sections 79 to 86, “the PEC Regulations” means the Privacy and Electronic 
Communications (EC Directive) Regulations 2003 (S.I. 2003/2426). 


79 Storing information in the terminal equipment of a subscriber or user 
(1) The PEC Regulations are amended as follows. 


(2) Inregulation 6 (storing information, or gaining access to information stored, in 
the terminal equipment of a subscriber or user) — 


(a) for paragraphs (1) and (2) substitute — 
“(1) Subject to paragraphs (2) to (2D) and (4), a person must not store 


information, or gain access to information stored, in the 
terminal equipment of a subscriber or user. 


(2) Paragraph (1) does not prevent a person storing information, or 
gaining access to information stored, in the terminal equipment 
of a subscriber or user if the subscriber or user — 

(a) is provided with clear and comprehensive information 
about the purpose of the storage or access, and 
(b) gives consent to the storage or access. 
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(2A) Paragraph (1) does not prevent a person storing information, or 
gaining access to information stored, in the terminal equipment 
of a subscriber or user if — 

(a) the person provides an information society service, 

(b) the sole purpose of the storage or access is to enable the 
person — 

(i) to collect information for statistical purposes 
about how the service is used with a view to 
making improvements to the service, or 

(ii) to collect information for statistical purposes 
about how a website by means of which the 
service is provided is used with a view to 
making improvements to the website, 

(c) any information that the storage or access enables the 
person to collect is not shared with any other person 
except for the purpose of enabling that other person to 
assist with making improvements to the service or 
website, 

(d) the subscriber or user is provided with clear and 
comprehensive information about the purpose of the 
storage or access, and 

(e) the subscriber or user is given a simple means of 
objecting (free of charge) to the storage or access and 
does not object. 


(2B) Paragraph (1) does not prevent a person storing information, or 
gaining access to information stored, in the terminal equipment 
of a subscriber or user if — 

(a) the person provides an information society service by 
means of a website, 
(b) the sole purpose of the storage or access is — 

(i) to enable the way the website appears or 
functions when displayed on, or accessed by, the 
terminal equipment to adapt to the preferences 
of the subscriber or user, or 


(ii) to otherwise enable an enhancement of the 
appearance or functionality of the website when 
displayed on, or accessed by, the terminal 
equipment, 

(c) the subscriber or user is provided with clear and 
comprehensive information about the purpose of the 
storage or access, and 

(d) the subscriber or user is given a simple means of 
objecting (free of charge) to the storage or access and 
does not object. 


(2C) Paragraph (1) does not prevent a person storing information, or 
gaining access to information stored, in the terminal equipment 
of a subscriber or user if — 

(a) the sole purpose of the storage or access is to enable 
software installed in the terminal equipment to be 
updated, 
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(b) the update is necessary to ensure the security of the 
terminal equipment, 

(c) the update will not result in an alteration of a setting 
affecting the privacy of information stored in the 
terminal equipment, 

(d) the subscriber or user is provided with clear and 
comprehensive information about the purpose of the 
update, 

(e) the subscriber or user is given a simple means of 
objecting (free of charge) to the update and does not 
object, 

(f) after the storage or access, the subscriber or user has an 
opportunity to disable or postpone the update before it 
takes effect, and 

(g) inacase where the update takes effect, it is reasonably 
practicable for the subscriber or user to remove or 
disable the software. 


(2D) Paragraph (1) does not prevent a person storing information, or 
gaining access to information stored, in the terminal equipment 
of a subscriber or user if — 

(a) the person receives a communication from the terminal 
equipment, 

(b) the communication is a request from the subscriber or 
user for emergency assistance or otherwise indicates 
that the subscriber or user is in need of emergency 
assistance, and 


(c) the sole purpose of the storage or access is to enable the 
geographical position of the subscriber or user to be 
ascertained with a view to the emergency assistance 
being provided.”, 

(b) in paragraph (3) — 
(i) after “Where” insert “on more than one occasion”, and 
(ii) for the words from “on more than one occasion, it is” to the end 
substitute “for the same purpose — 

(a) it is sufficient for the purposes of paragraph (2) 
that the requirements of that paragraph are met 
in respect of the initial use, 

(b) itis sufficient for the purposes of paragraph (2A) 
that the requirements of sub-paragraph (d) and 
(e) of that paragraph are met in respect of the 
initial use, and 

(c) itis sufficient for the purposes of paragraph (2B) 
that the requirements of sub-paragraph (c) and 
(d) of that paragraph are met in respect of the 
initial use.”, 

(c) in paragraph (3A) — 
(i) for “paragraph (2)” substitute “paragraphs (2)(b), (2A)(e) and 
(2B)(d)”, 
(ii) after “consent”, in both places, insert “or an objection”, and 
(iii) after “subscriber”, in both places, insert “or user”, and 
(d) after paragraph (4) insert — 
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“(5) For the purposes of paragraph (4)(b), the technical storage of, or access 
to, information is strictly necessary for the provision of an information 
society service requested by the subscriber or user if, for example, the 
storage or access is strictly necessary — 

(a) to protect information provided in connection with, or relating 
to, the provision of the service requested, 

(b) to ensure that the security of the terminal equipment of the 
subscriber or user is not adversely affected by the provision of 
the service requested, 

(c) to prevent or detect fraud in connection with the provision of 
the service requested, 

(d) to prevent or detect technical faults in connection with the 
provision of the service requested, or 

(e) to enable either of the following things to be done where 
necessary for the provision of the service requested — 

(i) automatically authenticating the identity of the 
subscriber or user, or 

(ii) maintaining a record of selections made on a website, or 
information put into a website, by the subscriber or user. 


(6) In this regulation — 

(a) areference to a person storing information, or gaining access to 
information stored, in the terminal equipment of a subscriber or 
user includes a reference to the person instigating the storage or 
access, and 

(b) a reference, except in paragraph (2A), to gaining access to 
information stored in the terminal equipment of a subscriber or 
user includes a reference to collecting or monitoring 
information automatically emitted by the terminal equipment. 


(7) Inthis regulation, “website” include a mobile application and any other 
platform by means of which an information society service is 
provided.” 


(3) After regulation 6 insert — 
“6A Power to provide exceptions to regulation 6(1) 


(1) The Secretary of State may by regulations made by statutory 
instrument — 
(a) amend these regulations — 
(i) by adding an exception to the prohibition in regulation 
6(1), or 
(ii) by omitting or varying an exception to that prohibition, 
and 


(b) make consequential, incidental or supplementary provision 
amending these regulations. 


(2) Regulations under paragraph (1) may make different provision for 
different purposes. 


(3) Before making regulations under paragraph (1), the Secretary of State 
must consult — 


(a) the Information Commissioner, and 
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(4) 


6B 


(1) 


(b) such other persons as the Secretary of State considers 
appropriate. 


A statutory instrument containing regulations under paragraph (1) 
may not be made unless a draft of the instrument has been laid before 
and approved by a resolution of each House of Parliament. 


Information technology to enable consent to be given, or an objection 
to be made, automatically 


The Secretary of State may by regulations made by statutory 
instrument provide that a person of a specified description may supply, 
provide or otherwise make available information technology of a 
specified description only if the technology meets specified 
requirements. 


The power conferred by paragraph (1) is to be exercised only for the 
purpose of securing that information technology supplied, provided or 
otherwise made available enables users of the technology to ensure that 
any consent they wish to give, or any objection they wish to make, to an 
operator of a website for the purposes of regulation 6 is given or made 
automatically upon their visiting the website. 


Regulations under paragraph (1) may make provision conferring 
functions on the Information Commissioner relating to the enforcement 
of the regulations. 


The provision made by reason of paragraph (3) may include provision 
applying (with or without modification) provisions of the Data 
Protection Act 2018 relating to enforcement. 


Regulations under paragraph (1) may — 
(a) make different provision for different purposes, 


(b) make incidental, supplementary, consequential, transitional or 
saving provision. 


Before making regulations under paragraph (1), the Secretary of State 
must consult — 
(a) the Information Commissioner, and 
(b) such other persons as the Secretary of State considers 
appropriate. 


A statutory instrument containing regulations under paragraph (1) 
may not be made unless a draft of the instrument has been laid before 
and approved by a resolution of each House of Parliament. 


In this regulation — 
“information technology” includes — 
(a) computers, 
(b) other devices whose uses include the processing of 
information by electronic means (“IT devices”), 


(c) parts, accessories or other equipment made or adapted 
for use in connection with computers or IT devices, 

(d) software and code made or adapted for use in 
connection with computers or IT devices, and 
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(e) networks and other infrastructure (whether physical or 
virtual) used in connection with other information 
technology; 

“specified” means specified in regulations made under paragraph 
(1); 

“website” includes a mobile application and any other platform by 
means of which an information society service is provided (and 
a reference to “an operator” of a website or “visiting” a website 
is to be read accordingly).” 


80 Unreceived communications 
(1) Regulation 2 of the PEC Regulations is amended as follows. 


(2) In paragraph (1) — 
(a) in the definition of “call”, at the end insert “, and a reference to making 
a call includes a reference to attempting to establish such a connection”; 
(b) in the definition of “communication” — 


(i) for “exchanged or conveyed between” substitute “transmitted 
to”, and 


(ii) for “conveyed”, in the second place it occurs, substitute 
“transmitted”. 


(3) After paragraph (1) insert — 


“(1A) Inthe application of these Regulations in relation to— 
(a) information that is sent but not received, 
(b) acommunication that is transmitted but not received, 
(c) anelectronic mail that is sent but not received, or 
(d) anunsuccessful attempt to make a call, 


a reference to the recipient of the information, communication, 
electronic mail or call is to be read as a reference to the intended 
recipient.” 


81 Meaning of “direct marketing” 


In regulation 2(1) of the PEC Regulations (interpretation), at the appropriate 
place, insert — 


““direct marketing” means the communication (by whatever 
means) of advertising or marketing material which is directed 
to particular individuals;”. 


82. Use of electronic mail for direct marketing purposes 


(1) Regulation 22 of the PEC Regulations (use of electronic mail for direct 
marketing purposes) is amended as follows. 


(2) In paragraph (2), after “paragraph (3)” insert “or (3A)”. 
(3) After paragraph (3) insert — 


“(3A) A person may send or instigate the sending of electronic mail for the 
Pp Vv 8 8 
purposes of direct marketing where — 
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(a) the direct marketing is solely for the purpose of furthering a 
charitable, political or other non-commercial objective of that 
person; 

(b) that person obtained the contact details of the recipient of the 
electronic mail in the course of the recipient expressing an 
interest in or offering or providing support for the furtherance 
of that objective or a similar objective; and 

(c) the recipient has been given a simple means of refusing (free of 
charge except for the costs of the transmission of the refusal) the 
use of their contact details for the purposes of such direct 
marketing, at the time that the details were initially collected, 
and, where the recipient did not initially refuse the use of the 
details, at the time of each subsequent communication.” 


83 Direct marketing for the purposes of democratic engagement 


(1) The Secretary of State may by regulations provide an exception from a direct 
marketing provision for a case where communications activity is — 
(a) carried out for the purposes of democratic engagement, and 
(b) is not directed to individuals under the age of 14. 


(2) For the purposes of subsection (1)(a), communications activity is carried out for 
the purposes of democratic engagement if — 
(a) the activity is carried out— 
(i) by, or at the instigation of, an elected representative, and 
(ii) for the purposes of the elected representative’s democratic 
engagement activities, 
(b) the activity is carried out— 
(i) by, or at the instigation of, a person or organisation included in 
a register maintained under section 23 of the Political Parties, 
Elections and Referendums Act 2000, and 
(ii) for the purposes of the person’s or organisation’s democratic 
engagement activities, for the purposes of assisting an elected 
representative with their democratic engagement activities or 
for the purposes of assisting with a candidate’s campaign for 
election as an elected representative, 
(c) the activity is carried out— 
(i) by, or at the instigation of, a candidate for election as an elected 
representative, and 
(ii) for the purposes of the candidate’s campaign for election, 
(d) the activity is carried out— 
(i) by, or at the instigation of, a permitted participant in relation to 
a referendum, and 
(ii) for the purposes of the permitted participant’s campaigning in 
connection with the referendum, or 
(e) the activity is carried out— 
(i) by, or at the instigation of, an accredited campaigner in relation 
to a recall petition, and 
(ii) for the purposes of the accredited campaigner’s campaigning in 
connection with the recall petition. 
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(3) 
(4) 


(1) 


(2) 


Regulations under this section may provide for an exception to be subject to 
conditions or limitations. 


Regulations under this section may make — 
(a) consequential, supplementary, incidental or transitional provision, and 
(b) different provision for different purposes. 


Before making regulations under this section, the Secretary of State must 
consult — 


(a) the Information Commissioner, and 
(b) such other persons as the Secretary of State considers appropriate. 


Before making regulations under this section, the Secretary of State must 
consider the effect the regulations may have on the privacy of individuals. 


Regulations under this section are subject to the affirmative resolution 
procedure. 


Meaning of expressions in section 83 


In section 83 — 

“accredited campaigner” has the meaning given in Part 5 of Schedule 3 to 
the Recall of MPs Act 2015; 

“candidate”, in relation to election as an elected representative, has the 
meaning given by the provisions listed in the relevant entry in the 
second column of the table in subsection (2); 

“communications activity” means — 

(a) transmitting, or instigating the transmission of, a 
communication, or 

(b) using, or instigating the use of, a public electronic 
communications service to make a call; 

“democratic engagement activities” means activities whose purpose is to 
support or promote democratic engagement; 

“direct marketing” means the communication (by whatever means) of 
advertising or marketing material which is directed to particular 
individuals; 

“direct marketing provision” means any provision of regulations 19 to 24 
of the PEC Regulations; 

“elected representative” means a person listed in the first column of the 
table in subsection (2) and see also subsections (3) and (4); 

“permitted participant” has the same meaning as in Part 7 of the Political 
Parties, Elections and Referendums Act 2000 (referendums) (see section 
105 of that Act); 

“recall petition” has the same meaning as in the Recall of MPs Act 2015 
(see section 1(2) of that Act); 

“referendum” means a referendum or other poll held on one or more 
questions specified in, or in accordance with, an enactment. 


This is the table referred to in subsection (1) — 
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Elected representative 


Candidate for election as an elected 
representative 


(a) a member of the House of 
Commons 


(b) a member of the Senedd 


(c) a member of the Scottish 
Parliament 


(d) a member of _ the 
Northern Ireland Assembly 


(e) an elected member of a 
local authority within the 
meaning of section 270(1) of 
the Local Government Act 
1972, namely — 

(i) in England, a county 
council, a district 
council, a London 
borough council or a 
parish council; 

(ii) in Wales, a county 
council, a county 
borough council or a 
community council; 


(f) an elected mayor of a local 
authority within the 
meaning of Part 1A or 2 of 
the Local Government Act 
2000 


(g) a mayor for the area of a 
combined authority 
established under section 103 
of the Local Democracy, 
Economic Development and 
Construction Act 2009 


(h) the Mayor of London or 
an elected member of the 
London Assembly 


section 118A of the Representation 


of the People Act 1983 
article 84(2) of the National 
Assembly for Wales 


(Representation of the People) 
Order 2007 (S.I. 2007/236) 


article 80(1) of the Scottish 
Parliament (Elections etc) Order 
2015 (S.S.I. 2015/425) 


section 118A of the Representation 
of the People Act 1983, as applied 
by the Northern Ireland Assembly 
(Elections) Order 2001 (S.I. 2001/ 
2599) 


section 118A of the Representation 
of the People Act 1983 


section 118A of the Representation 
of the People Act 1983, as applied 
by the Local Authorities (Mayoral 
Elections) (England and Wales) 
Regulations 2007 (S.I. 2007/1024) 


section 118A of the Representation 
of the People Act 1983, as applied 
by the Combined Authorities 
(Mayoral Elections) Order 2017 
(S.I. 2017/67) 


section 118A of the Representation 
of the People Act 1983 


10 


15 


20 


25 


30 


35 


40 


Data Protection and Digital Information Bill 
Part 4 — Other provision about digital information 


oo 


85 


(3) 


(1) 


Elected representative 


Candidate for election as an elected 
representative 


(i) an elected member of the 
Common Council of the City 
of London 


(j) an elected member of the 
Council of the Isles of Scilly 


(k) an elected member of a 
council constituted under 
section 2 of the Local 
Government etc (Scotland) 
Act 1994 


(1) an elected member of a 
district council within the 
meaning of the Local 


section 118A of the Representation 
of the People Act 1983 


section 118A of the Representation 
of the People Act 1983 


section 118A of the Representation 
of the People Act 1983 


section 130(3A) of the Electoral 
Law Act (Northern Ireland) 1962 
(c. 9 (N.L.)) 


Government Act (Northern 
Ireland) 1972 (c. 9 (N.I.)) 


(m) a_ police and crime 
commissioner 


article 3 of the Police and Crime 
Commissioner Elections Order 
2012 (S.I. 2012/1917) 


For the purposes of the definition of “elected representative” in subsection (1), 
a person who is— 
(a) amember of the House of Commons immediately before Parliament is 
dissolved, 
(b) a member of the Senedd immediately before Senedd Cymru is 
dissolved, 
(c) a member of the Scottish Parliament immediately before that 
Parliament is dissolved, or 
(d) amember of the Northern Ireland Assembly immediately before that 
Assembly is dissolved, 
is to be treated as if the person were such a member until the end of the fourth 
day after the day on which the subsequent general election in relation to that 
Parliament or Assembly is held. 


For the purposes of the definition of “elected representative” in subsection (1), 
a person who is an elected member of the Common Council of the City of 
London and whose term of office comes to an end at the end of the day 
preceding the annual Wardmotes is to be treated as if the person were such a 
member until the end of the fourth day after the day on which those 
Wardmotes are held. 


Duty to notify the Commissioner of unlawful direct marketing 


The PEC Regulations are amended as follows. 
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(2) After regulation 26 insert — 
“26A Duty to notify Commissioner of unlawful direct marketing 


(1) A provider of a public electronic communications service must notify 
the Commissioner of any reasonable grounds the provider has for 
suspecting that a person is contravening or has contravened any of the 
direct marketing regulations in the course of using the service. 


(2) A provider of a public electronic communications network must notify 
the Commissioner of any reasonable grounds the provider has for 
suspecting that a person is contravening or has contravened any of the 
direct marketing regulations in the course of using the network or 
using a public electronic communication service provided by means of 
the network. 


(3) A notification under this section must be given within the period of 28 
days beginning with the day on which the reasonable grounds for 
suspicion come to the attention of the provider. 


(4) “Direct marketing regulations” means regulations 19 to 22. 
26B_ Fixed penalty for failure to comply with regulation 26A 


(1) Ifa provider of a public electronic communications service or public 
electronic communications network fails to comply with regulation 
26A, the Commissioner may issue a fixed monetary penalty notice in 
respect of the failure. 


(2) The amount of a fixed monetary penalty under this regulation shall be 
£1,000. 


(3) Before serving a fixed monetary penalty notice, the Commissioner 
must serve the provider with a notice of intent. 


(4) The notice of intent must — 
(a) state the name and address of the provider; 

) state the nature of the failure; 
(c) state the amount of the fixed monetary penalty; 

) include a statement informing the provider of the opportunity 
to discharge liability for the fixed monetary penalty; 
(e) indicate the date on which the Commissioner proposes to serve 

the fixed monetary penalty notice; and 


(f) inform the provider that the provider may make written 
representations in relation to the proposal to serve a fixed 
monetary penalty notice within the period of 21 days beginning 
with the day the notice of intent is served. 


5) A provider may discharge liability for the fixed monetary penalty if the 
p vi & y yP y 
provider pays to the Commissioner the amount of £800 within the 
period of 21 days beginning with the day the notice of intent is served. 


(6) The Commissioner may not serve a fixed monetary penalty notice until 
the period within which representations may be made has expired. 


7) The fixed monetary penalty notice must state — 
YP y 
(a) the name and address of the provider; 
(b) details of the notice of intent served on the provider; 
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(11) 


(12) 


(13) 


(14) 


(c) whether there have been any written representations; 

(d) details of any early payment discounts; 

(e) the grounds on which the Commissioner imposes the fixed 
monetary penalty; 

(f) the date by which the fixed monetary penalty is to be paid; and 

(g) details of, including the time limit for, the provider’s right of 
appeal against the imposition of the fixed monetary penalty. 


A provider on whom a fixed monetary penalty notice is served may 
appeal to the Tribunal against the issue of the fixed monetary penalty 
notice. 


Any sum received by the Commissioner by virtue of this regulation 
must be paid into the Consolidated Fund. 


In England and Wales, the fixed monetary penalty is recoverable — 
(a) if the county court so orders, as if it were payable under an 
order of that court; 
(b) if the High Court so orders, as if it were payable under an order 
of that court. 


In Scotland, the fixed monetary penalty may be enforced in the same 
manner as an extract registered decree arbitral bearing a warrant for 
execution issued by the sheriff court of any sheriffdom in Scotland. 


In Northern Ireland, the fixed monetary penalty is recoverable— 
(a) if acounty court so orders, as if it were payable under an order 
of that court; 
(b) if the High Court so orders, as if it were payable under an order 
of that court. 


The Secretary of State may by regulations made by statutory 
instrument amend this regulation so as to substitute a different amount 
for the amount for the time being specified in paragraph (2) or (5). 


A statutory instrument containing regulations under this regulation 
may not be made unless a draft of the instrument has been laid before 
and approved by a resolution of each House of Parliament. 


26C Guidance in relation to regulation 26A 


(1) 


The Commissioner must produce and publish guidance about what 
may constitute reasonable grounds for suspecting that a person is 
contravening or has contravened any of the direct marketing 
regulations in the course of using a public electronic communications 
service or public electronic communications network. 


The Commissioner may — 
(a) alter and replace guidance produced under this regulation, and 
(b) must publish any altered or replacement guidance. 


Before producing guidance under this regulation (including any 
altered or replacement guidance), the Commissioner must consult — 
(a) the Secretary of State, 
(b) OFCOM, 
(c) providers of public electronic communications networks, 
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(d) providers of public electronic communications services, and 
(e) such other persons as the Commissioner considers appropriate. 


(4) The Commissioner must have regard to guidance under this regulation 
in determining whether to issue a fixed monetary penalty notice under 
regulation 26B. 


(5) “Direct marketing regulations” means regulations 19 to 22.” 


3) Inregulation 5C (personal data breach: fixed monetary penalty) — 
8 P yp y 
(a) in paragraph (10)— 
(i) omit “and Northern Ireland”, and 


(ii) in paragraph (a), for “a county court” substitute “the county 
court”, and 


(b) after paragraph (11) insert — 


“(12) In Northern Ireland, the penalty is recoverable— 
(a) if acounty court so orders, as if it were payable under an 
order of that court; 
(b) if the High Court so orders, as if it were payable under 
an order of that court.” 


Commissioner’s enforcement powers 


(1) The PEC Regulations are amended as follows. 


(2) In regulation 5 (security of public electronic communications services), omit 
paragraph (6). 
(3) Omit regulation 5B (personal data breach: audit). 


(4) In regulation 5C (personal data breach: fixed monetary penalty) after 
paragraph (12) (inserted by section 85 of this Act) insert— 


“(13) The Secretary of State may by regulations made by statutory 
instrument amend this regulation so as to substitute a different amount 
for the amount for the time being specified in paragraph (2) or (5). 


(14) A statutory instrument containing regulations under this regulation 
may not be made unless a draft of the instrument has been laid before 
and approved by a resolution of each House of Parliament.” 


(5) For regulation 31 substitute — 
“31 Information Commissioner’s enforcement powers 


(1) Schedule 1 provides for certain provisions of Parts 5 to 7 of the Data 
Protection Act 2018 to apply with modifications for the purposes of 
enforcing these Regulations. 


(2) In regulations 32 and 33, “enforcement functions” means the functions 
of the Information Commissioner under those provisions, as applied by 
that Schedule.” 


— 
nN 
wm 


Omit regulation 31A (third party information notices). 


— 
N 
—_, 


Omit regulation 31B (appeals against third party information notices). 


For Schedule 1 substitute the Schedule set out in Schedule 10. 


—= 
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(9) In paragraph 58(1) of Schedule 20 to the 2018 Act (transitional provision 
relating to the PEC Regulations) for “regulations 2, 31 and 31B of, and Schedule 
1 to,” substitute “regulation 2 of”. 


Trust services 


87. The eIDAS Regulation 


In sections 88 to 91, “the eIDAS Regulation” means Regulation (EU) No. 910/ 
2014 of the European Parliament and the Council of 23 July 2014 on electronic 
identification and trust services for electronic transactions in the internal 
market. 


88 Recognition of EU conformity assessment bodies 


In Chapter 3 of the eIDAS Regulation (trust services), after Article 24A insert — 


“Article 24B 
Recognition of EU conformity assessment bodies 


For the purposes of Articles 20(1), 21 and 24(1)(d), a body is to be treated as if 
it were a conformity assessment body in relation to a description of trust 
services provider (and trust service) if it is a conformity assessment body in 
relation to that description of provider (and service) for the purposes of the 
equivalent EU law.” 


89 Removal of recognition of EU standards etc 


(1) The Secretary of State may by regulations — 

(a) amend Article 24A of the eIDAS Regulation (recognition of EU 
standards etc for qualified trust services) so as to remove circumstances 
in which something is to be treated as qualified under that Regulation 
for the purposes of a provision or measure specified in paragraph 1 of 
that Article; 

(b) revoke that Article; 

(c) revoke Article 24B of the eIDAS Regulation (recognition of EU 
conformity assessment bodies); 

(d) revoke Article 51 of the eIDAS Regulation (transitional measures for 
electronic signatures); 

(e) amend a provision listed in subsection (3) so as to remove a reference 
to a trust service provider established in the EU; 


(f) amend a provision listed in subsection (4) so as to remove a reference 
to European standards or provisions of equivalent EU law. 


(2) The power under subsection (1)(a) includes power to amend or remove an 
assumption in Article 24A(2) of the eIDAS Regulation. 


3) The provisions mentioned in subsection (1)(e) are— 
p 
(a) Article 13(1) of the eIDAS Regulation; 
(b) Articles 2(1)(a) and 4(1)(a) of the Implementing Decision. 


(4) The provisions mentioned in subsection (1)(f) are— 
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(a) Article 24(2)(b) of the eIDAS Regulation; 
(b) Articles 2(2)(c)(7) and 4(2)(c)(7) of the Implementing Decision. 


(5) Regulations under this section may — 
(a) include transitional provision or savings, and 


(b) make different provision for different purposes, including for the 
purposes of different provisions of the eIDAS Regulation. 


(6) A statutory instrument containing regulations under this section is subject to 
the negative resolution procedure. 


(7) In this section, “the Implementing Decision” means Commission 
Implementing Decision (EU) 2015/1506 laying down specifications relating to 
formats of advance electronic signatures and advance seals to be recognised by 
public sector bodies pursuant to Articles 27(5) and 37(5) of the e[DAS 
Regulation. 


90 Recognition of overseas trust products 
(1) The eIDAS Regulation is amended as follows. 
(2) In Chapter 3 of the eIDAS Regulation, after Article 45 insert — 


“Section 9 


Recognition of overseas trust services 


Article 45A 
Legal effects of overseas electronic signatures etc 


1.‘ The Secretary of State may by regulations provide that, for the purposes 
of Articles 25(2), 35(2), 41(2) and 43(2), an overseas trust product of a specified 
description is to be treated as qualified. 


2. In this Article — 


“overseas”, in relation to a trust product, means provided by a person 
established in a country or territory outside the United Kingdom; 


“trust product” means an electronic signature, an electronic seal, an 
electronic time stamp or an electronic registered delivery service; 


“specified” means specified by regulations under this Article. 


3. The Secretary of State may not make regulations under this Article 
specifying a description of overseas trust product unless satisfied that the 
reliability of such a product is at least equivalent to the reliability of a 
comparable trust product that is qualified. 


4. | When making regulations under this Article in relation to a description 
of overseas trust product, the Secretary of State must have regard to (among 
other things) the law in the other country or territory relevant to that 
description of product and related trust services. 
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Article 45B 
Overseas signatures and seals in public service 


1. The Secretary of State may by regulations provide that an overseas 
electronic signature of a specified description is to be treated — 


(a) for the purposes of Article 27(1), as an advanced electronic signature 
that complies with the Implementing Decision; 


(b) for the purposes of Article 27(2), as an advanced electronic signature 
based on a qualified certificate for electronic signature, or a qualified 
signature, that complies with the Implementing Decision. 


2. The Secretary of State may by regulations provide that an overseas 
electronic seal of a specified description is to be treated — 


(a) for the purposes of Article 37(1), as an advanced electronic seal that 
complies with the Implementing Decision; 


(b) for the purposes of Article 37(2), as an advanced electronic seal based 
on a qualified certificate for electronic seal, or a qualified seal, that 
complies with the Implementing Decision. 


3. In this Article — 


“the Implementing Decision” means Commission Implementing Decision 
(EU) 2015/1506 laying down specifications relating to formats of advanced 
electronic signatures and advanced seals to be recognised by public sector 
bodies; 


“overseas”, in relation to an electronic signature or electronic seal, means 
provided by a person established in a country or territory outside the 
United Kingdom; 


“specified” means specified by regulations made under this Article. 


4. The Secretary of State may not make regulations under point (a) or (b) of 
paragraph 1 or point (a) or (b) of paragraph 2 specifying a description of 
overseas electronic signature or overseas electronic seal unless satisfied that 
the reliability of such a signature or seal is at least equivalent to the reliability 
of a signature or seal described in that point. 


5. | When making regulations under this Article in relation to a description 
of overseas electronic signature or overseas electronic seal, the Secretary of 
State must have regard to (among other things) the law in the other country or 
territory relevant to that description of signature or seal and related trust 
services. 


Article 45C 


Regulations under this Section 
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(1) 
(2) 


1. Before making regulations under Article 45A or 45B, the Secretary of 
State must consult the supervisory body. 


2. Regulations under Article 45A or 45B— 


a) may describe something by (among other things) describin 
y BOY & & & 
something that meets a condition specified in the regulations or is 
provided by a person who meets such a condition, and 


(b) include a condition referring to (among other things) the law of the 
other country or territory or a standard or other document, including 
the law, standard or other document as amended as from time to 
time. 


3. Regulations under Article 45A or 45B may — 


(a) make different provision for different purposes, including for the 
purposes of different provisions of this Regulation, and 


(b) include transitional or transitory provision or savings. 


4. Regulations under Article 45A or 45B are to be made by statutory 
instrument. 


5. A statutory instrument containing regulations under Article 45A or 45B 
is subject to annulment in pursuance of either House of Parliament.” 


In Article 3(21) (definition of “product”), at the end insert “(except in the 
expression “trust product’”)”. 


Co-operation between supervisory authority and overseas authorities 


Article 18 of the eIDAS Regulation (co-operation with EU authorities) is 
amended as follows. 


In paragraph 1, for “public authority in the EU” substitute “designated 
overseas authority”. 


In paragraph 2, for “other than in accordance with the data protection 
legislation” substitute “if the processing would contravene the data protection 
legislation (but in determining whether processing would do so, take into 
account the power conferred by that paragraph)”. 


After paragraph 2 insert — 
“3. In this Article— 


“designated” means designated by regulations made by the Secretary of 
State that are in force; 


“overseas authority” means a person, or description of person, with 
functions relating to the regulation or supervision of trust services outside 
the United Kingdom. 


4. Before making regulations under this Article, the Secretary of State must 
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consult the supervisory body. 


5. Regulations under this Article may include transitional or transitory 
provision or savings. 


6. Regulations under this Article are to be made by statutory instrument. 


7. A statutory instrument containing regulations under this Article is 
subject to annulment in pursuance of either House of Parliament.” 


Sharing of data 


92 Disclosure of information to improve public service delivery to undertakings 


(1) Section 35 of the Digital Economy Act 2017 (disclosure of information to 
improve public service delivery) is amended as follows. 


(2) In subsection (9)— 
(a) in paragraph (a), for “or households” substitute 
undertakings”, and 


(b) in paragraph (b), for “or households” substitute 
undertakings”. 


(3) Insubsection (10) — 
(a) the words after “its purpose” become paragraph (a), and 
(b) at the end of that paragraph, insert “, or 


(b) the assisting of undertakings in connection with any 
trade, business or charitable purpose.” 


“6 


‘, households or 


“ 


‘, households or 


(4) After subsection (12) insert — 


“(13) In this section “undertaking” means — 
(a) any person, other than a public authority, carrying ona trade or 
business, whether or not with a view to profit, or 
(b) any body, or the trustees of a trust, established for charitable 
purposes only. 


(14) In this section, in so far as it forms the law in Scotland and Northern 
Ireland, “charitable purpose” has the same meaning as it has in the law 
of England and Wales (see section 2 of the Charities Act 2011).” 


93 Implementation of agreements on sharing information for law enforcement 
purposes 


(1) The Secretary of State may by regulations make such provision as the Secretary 
of State considers appropriate for the purpose of, or in connection with, 
implementing an international agreement so far as relating to the sharing of 
information for law enforcement purposes, as it has effect from time to time. 


(2) Regulations under this section may — 
(a) make different provision for different purposes, and 
(b) make transitional, transitory or saving provision. 
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(3) Subject to subsections (4) and (5), regulations under this section may provide 
that sharing of information in accordance with the regulations does not breach 
any restriction on the sharing of information (however imposed). 


(4) Regulations under this section do not require or authorise processing of 
personal data that would contravene the data protection legislation (but in 
determining whether processing of personal data would do so, take into 
account a duty imposed, or power conferred, by the regulations). 


(5) Regulations under this section do not require or authorise the making of a 
disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of 
the Investigatory Powers Act 2016. 


— 
nN 
wm 


Regulations under this section are subject to the negative resolution procedure 


— 
N 
—_ 


In this section — 

“the data protection legislation” has the same meaning as in the 2018 Act 
(see section 3(9) of that Act); 

“law enforcement purposes” means the prevention, investigation, 
detection or prosecution of criminal offences or the execution of 
criminal penalties, including the safeguarding against, and the 
prevention of, threats to public security; 


“personal data” has the same meaning as in the 2018 Act (see section 3(2) 
of that Act); 


“processing” has the same meaning as in the 2018 Act (see section 3(4) of 
that Act). 


Registers of births and deaths 


94 Form in which registers of births and deaths are to be kept 
(1) The Births and Deaths Registration Act 1953 is amended as follows. 
(2) For section 25 (provision of registers, etc, by Registrar General) substitute — 
“25 Form in which registers are to be kept, etc 


(1) Registers of live-births, still-births and deaths must be kept in such 
form as the Registrar General may reasonably require. 


(2) The Registrar General may, in particular, require any such register to be 
kept in a form that secures that any information entered in the register 
by a registrar — 

(a) in the case of a register of live-births or of deaths, is available to 
the superintendent registrar and to the Registrar General 
immediately after the entry has been made, and 

(b) inthe case of a register of still-births, is available to the Registrar 
General immediately after the entry has been made. 


(3) In a case where a register is kept in such form as is mentioned in 
subsection (2), any information in the register which is available to the 
superintendent registrar or Registrar General is to be regarded as held 
by that person (as well as by the registrar) in connection with that 
person’s functions. 


(4) The Registrar General — 
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(a) may provide anything which the Registrar General considers 
appropriate for the registers mentioned in subsection (1) to be 
kept in the form required under that subsection, and 


(b) must maintain anything provided under paragraph (a). 


(5) The Registrar General must also provide the forms required for the 
purposes of this Act for making certified copies of entries in registers.” 


(3) Omit the following provisions — 
(a) section 26 (quarterly returns to be made by registrar to superintendent 
registrar); 
(b) section 27 (quarterly returns by superintendent registrar to Registrar 
General); 


(c) section 28 (custody of registers, etc). 


95 _‘ Provision of equipment and facilities by local authorities 
In the Registration Service Act 1953, after section 11 insert — 
“11A Provision of equipment and facilities by local authorities 


(1) At each register office provided for the superintendent registrar of a 
district, the council which employs the superintendent registrar shall, 
subject to the provisions of the local scheme, provide and maintain such 
equipment or facilities as the Registrar General reasonably considers to 
be necessary for the performance of the superintendent registrar’s 
functions. 


(2) At each office and each station for a sub-district of a registrar, the 
council which employs the registrar shall, subject to the provisions of 
the local scheme, provide and maintain such equipment or facilities as 
the Registrar General reasonably considers to be necessary for the 
performance of the registrar’s functions.” 


96 Requirements to sign register 
(1) The Births and Deaths Registration Act 1953 is amended as follows. 
(2) After section 38A insert — 
“38B Requirements to sign register 


(1) Where any register of births or register of deaths is required to be kept 
under this Act otherwise than in hard copy form, the Minister may by 
regulations provide that — 

(a) aperson’s duty under this Act to sign the register at any time is 
to have effect as a duty to comply with specified requirements 
at that time, and 

(b) aperson who complies with those requirements is to be treated 
for the purposes of this Act as having signed the register at that 
time and, in the case of a duty to sign the register in the presence 
of the registrar, to have done so in the presence of the registrar, 

and accordingly, in such a case, the entry in the register is to be taken 
for the purposes of this Act to have been signed by the person. 


(2) The provision that may be made by regulations under this section 
includes, among other things — 
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(3) 


97 
(1) 


(a) provision requiring a person to sign something other than the 
register; 

(b) provision requiring a person to provide specified evidence of 
identity in such form and manner as may be specified. 


(3) In this section “specified” means specified in regulations under this 
section.” 


In section 39A (regulations made by the Minister: further provisions), after 
subsection (5) insert — 


“(6) A statutory instrument that contains (whether alone or with other 
provision) regulations made by the Minister under section 38B may not 
be made unless a draft of the instrument has been laid before, and 
approved by a resolution of, each House of Parliament.” 


Treatment of existing registers and records 


The repeal of section 28 of the Births and Deaths Registration Act 1953 by 
section 94 above does not affect — 

(a) the requirement under section 28(2) of that Act for every 
superintendent registrar (“S’”) to keep with the records of S’s office any 
registers of live-births or of deaths which are in S’s custody 
immediately before the coming into force of that repeal, or 

(b) the requirement under section 28(4) of that Act for the Registrar 
General to keep in the General Register Office — 

(i) any certified copies or information sent or provided under 
section 27 of that Act (quarterly returns by superintendent 
registrar to Registrar General), or 

(ii) any registers of still-births that were forwarded to the Registrar 
General before the coming into force of that repeal. 


Any register of live-births or of deaths which, immediately before the coming 
into force of this section, is in the custody of a registrar and is unfilled is, as 
soon as is reasonably practicable after the coming into force of this section, to 
be delivered to the superintendent registrar (“S”) to be kept by S with the 
records of S’s office. 


Any register of still-births which, immediately before the coming into force of 
this section, is in the custody of a registrar and is unfilled is, as soon as is 
reasonably practicable after the coming into force of this section, to be 
forwarded to the Registrar General to be kept in the General Register Office in 
such order and manner as the Registrar General thinks fit. 


The Registrar General may dispose of — 
(a) any certified copies held by the Registrar General of entries in any 
register of still-births forwarded to the Registrar General under section 
28(3) of the Births and Deaths Registration Act 1953 or subsection (3) 
above, or 
(b) any information contained in those entries which is held by the 
Registrar General in electronic form by virtue of section 27 of that Act. 


Where, at any time during the period mentioned in subsection (6), a copy has 
been kept otherwise than in hard copy form of any register of births or register 
of deaths kept for a sub-district under the Births and Deaths Registration Act 
1953 — 
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a) that copy is to be treated, on and after the day on which section 94 
PY ; y ie 
comes into force, as the register kept for the sub-district for the 
purposes of that Act, 


(b) on and after that day, the register is to be treated for the purposes of 
section 25(3) of that Act as having been kept in the form in which the 
copy was kept, 

(c) where before that day a person signed any entry in the register, the 
entry is to continue, on and after that day, to be regarded for the 
purposes of that Act as having been signed by the person, and 

(d) the Registrar General may dispose of — 

(i) any certified copies held by the Registrar General of entries in 
the register, or 

(ii) any information contained in those entries which is held by the 
Registrar General in electronic form by virtue of section 27 of 
that Act. 


6) The period referred to in subsection (5) is the period — 
p p 
(a) beginning with 1 July 2009, and 
(b) ending immediately before the day on which section 94 comes into 
force. 


(7) Expressions used in this section and in the Births and Deaths Registration Act 
1953 have the same meaning in this section as in that Act. 
98 Minor and consequential amendments 


Schedule 11 contains minor and consequential amendments. 
Information standards for health and social care 


99 Information standards for health and adult social care in England 


Schedule 12 makes provision about information standards for health and adult 
social care in England (under Part 9 of the Health and Social Care Act 2012) and 
information technology. 


PART 5 


REGULATION AND OVERSIGHT 
Information Commission 


100 The Information Commission 
(1) The 2018 Act is amended as follows. 
(2) After section 114 insert — 


“The Information Commission 
114A The Information Commission 


(1) A body corporate called the Information Commission is established. 
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(4) 


(5) 


(2) Schedule 12A makes further provision about the Commission.” 


In section 3 (terms relating to the processing of personal data), after subsection 
(8) insert — 


“(8A) “The Commission” means the Information Commission (see section 
114A).” 


In section 206 (index of defined expressions), in the Table, at the appropriate 
place insert — 


“the Commission section 3”. 


Schedule 13 — 
(a) inserts Schedule 12A to the 2018 Act, and 
(b) makes transitional provision relating to the person who holds the office 
of Information Commissioner immediately before the day on which 
Schedule 13 comes into force. 


Abolition of the office of Information Commissioner 


The office of Information Commissioner is abolished. 
Accordingly, the 2018 Act is amended as follows. 


In section 3 (terms relating to the processing of personal data) omit subsection 
(8). 

Omit section 114 (the Information Commissioner) and the italic heading before 
that section. 


In section 206 (index of defined expressions), in the Table, omit the entry for the 
Commissioner. 


In section 214(1) (extent) — 
(a) omit “and” at the end of paragraph (a), and 
(b) omit paragraph (b). 


Omit Schedule 12 (the Information Commissioner). 


Transfer of functions etc to the Information Commission 


The functions of the Information Commissioner are transferred to the 
Information Commission. 


The Secretary of State may make a scheme for the transfer of property, rights 
and liabilities from the Information Commissioner to the Information 
Commission. 


The things that may be transferred under a transfer scheme include— 
(a) property, rights and liabilities that could not otherwise be transferred; 


(b) property acquired, and rights and liabilities arising, after the making of 
the scheme. 


A transfer scheme may — 
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103 
(1) 


(a) make provision about the continuing effect of things done by the 
Information Commissioner in respect of anything transferred; 

(b) make provision about the continuation of things (including legal 
proceedings) in the process of being done by, on behalf of or in relation 
to the Information Commissioner in respect of anything transferred; 

(c) make provision for references to the Information Commissioner in an 
instrument or other document in respect of anything transferred to be 
treated as references to the Information Commission; 


(d) if the TUPE regulations do not apply in relation to the transfer, make 
provision which is the same or similar; 


e) make other consequential, supplementary, incidental or transitional 
a gq PP y, 
provision. 


A transfer scheme may provide — 
(a) for modifications by agreement; 


(b) for modifications to have effect from the date when the original scheme 
came into effect. 


In subsection (4)(d), “the TUPE regulations” means the Transfer of 
Undertakings (Protection of Employment) Regulations 2006 (S.I. 2006/246). 


In this section, references to rights and liabilities include rights and liabilities 
relating to a contract of employment. 


Oversight of biometric data 


Oversight of retention and use of biometric material 


The office of Commissioner for the Retention and Use of Biometric Material is 
abolished. 


Part 1 of the Protection of Freedoms Act 2012 (regulation of biometric data) is 
amended in accordance with subsections (3) to (6). 


For the heading before section 20 substitute “Functions of the Investigatory 
Powers Commissioner”. 


In section 20 (appointment and functions of the Commissioner for the 
Retention and Use of Biometric Material) — 


(a) inthe heading, omit “Appointment and”, 
(b) omit subsection (1), 
(c) after that subsection insert — 


“(1A) In this section, “the Commissioner” means the Investigatory 
Powers Commissioner (as defined in section 263(1) of the 
Investigatory Powers Act 2016).”, 

(d) omit subsections (6) to (8), 
(e) insubsection (9) — 
(i) after “63G” insert “of the Police and Criminal Evidence Act 
1984”, and 
(ii) at the end insert “(“the section 63D functions”)”, 
(f) omit subsections (10) and (11), and 
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(g) at the end insert— 


“(12) Section 229(6) and (7) of the Investigatory Powers Act 2016 
gatory 

(duty not to act contrary to public interest etc) apply to the 

exercise of functions under this section and the section 63D 


functions as they apply to the exercise of functions under that 
Act. 


(13) Errors identified by the Commissioner in carrying out functions 
under this section or the section 63D functions are not relevant 
errors for the purposes of section 231 of the Investigatory 
Powers Act 2016 (error reporting). 


(14) The Commissioner’s annual report under section 234 of the 
Investigatory Powers Act 2016 must include information about 
the carrying out of the Commissioner’s functions under this 
section and the section 63D functions.” 


(5) Omit section 21 (reports by Commissioner). 


(6) Insection 22 (guidance on making national security determinations) — 
(a) in subsection (4) — 
(i) for “the guidance, or revising guidance already given” 
substitute “guidance or revised guidance under this section”, 
and 


(ii) for “Commissioner for the Retention and Use of Biometric 
Material” substitute “Investigatory Powers Commissioner”, 
(b) insubsection (5)— 
(i) after “giving guidance” insert “or revised guidance”, 
(ii) omit “or revising guidance already given,” 
(iii) in paragraph (a), for “revisions” substitute “revised guidance”, 
and 
(iv) in paragraph (b), for “revisions to the guidance” substitute 
“revised guidance”, 
(c) in subsection (6), for “make the revisions to the guidance” substitute 
“revised guidance”, 
(d) insubsection (7), for “revisions to guidance, come” substitute “revised 
guidance, comes”, 
(e) in subsection (9), for “given or revised” substitute “or revised guidance 
given”, and 
(f) at the end insert — 


“(10) In this section, “the Investigatory Powers Commissioner” has 
the meaning given in section 263(1) of the Investigatory Powers 
Act 2016.” 


(7) Part 5 of the Police and Criminal Evidence Act 1984 (questioning and treatment 
of persons by police) is amended in accordance with subsections (8) to (10). 


(8) Insection 63AB (National DNA Database Strategy Board) — 
(a) in subsection (4), for “Commissioner for the Retention and Use of 
Biometric Material” substitute “Investigatory Powers Commissioner, 
(b) in subsection (5), for “Commissioner for the Retention and Use of 
Biometric Material” substitute “Investigatory Powers Commissioner”, 
and 
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(c) in subsection (13) (inserted by section 105 of this Act), at the 
appropriate place insert — 
““the Investigatory Powers Commissioner” has _ the 
meaning given in section 263(1) of the Investigatory 
Powers Act 2016;”. 


(9) In section 63F(5)(c) (retention of section 63D material: persons arrested for or 
charged with a qualifying offence), for “Commissioner for the Retention and 
Use of Biometric Material” substitute “Investigatory Powers Commissioner”. 


(10) In section 63G (retention of section 63D material by virtue of section 63F(5): 
consent of Commissioner) — 
(a) in subsection (1), for “Commissioner for the Retention and Use of 
Biometric Material” substitute “Investigatory Powers Commissioner 
(“the Commissioner”)”, and 
(b) in subsection (10), after “section—” insert — 
““the Investigatory Powers Commissioner” has the 
meaning given in section 263(1) of the Investigatory 
Powers Act 2016,”. 


(11) Inconsequence of the amendments made by this section— 

(a) in Part 3 of Schedule 1 to the House of Commons Disqualification Act 
1975 (other disqualifying offices), omit “Commissioner for the 
Retention and Use of Biometric Material”, 

(b) in Part 3 of Schedule 1 to the Northern Ireland Assembly 
Disqualification Act 1975 (other disqualifying offices), omit 
“Commissioner for the Retention and Use of Biometric Material”, and 

(c) inthe Scottish Biometrics Commissioner Act 2020 (asp 8) — 

(i) in section 2(2) (functions), for “Commissioner for the Retention 
and Use of Biometric Material” substitute “Investigatory 
Powers Commissioner”, and 

(ii) in section 3 (power to work with others), omit paragraph (i) and 
after that paragraph insert — 
“(ia) the Investigatory Powers Commissioner (as 
defined in section 263(1) of the Investigatory 
Powers Act 2016),”. 


104 Removal of provision for regulation of CCTV etc 
(1) The office of Surveillance Camera Commissioner is abolished. 


(2) Inthe Protection of Freedoms Act 2012, omit Chapter 1 of Part 2 (regulation of 
CCTV and other surveillance technology). 


(3) Inconsequence of that repeal — 
(a) in Part 3 of Schedule 1 to the House of Commons Disqualification Act 
1975 (other disqualifying offices), omit “Surveillance Camera 
Commissioner’; 
(b) in Part 6 of Schedule 1 to the Freedom of Information Act 2000 (public 
authorities), omit “The Surveillance Camera Commissioner”. 
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105 Oversight of biometrics databases 


(1) Section 63AB of the Police and Criminal Evidence Act 1984 (National DNA 
Database Strategy Board) is amended as follows. 


— 
N 
wa 


For the heading substitute “Oversight of biometrics databases”. 


(3) In subsection (1)— 
(a) for “National DNA Database Strategy Board” substitute “Strategy 
Board (‘the Board”)”, 
(b) after “of” insert “— 
(a) ”,and 
(c) at the end insert “, and 
(b) a database of fingerprints — 
(i) taken froma person under a power conferred by 
this Part of this Act, or 


(ii) taken by the police, with the consent of the 
person from whom they were taken, in 
connection with the investigation of an offence 
by the police.” 


(4) After that subsection insert — 


‘“(1A) The Board is to be known as the Forensic Information Database 
Strategy Board.” 


(5) In subsection (2)— 
(a) omit “National DNA Database Strategy”, 
(b) for “guidance about” substitute “one or more codes of practice about — 


(a) the erasure of personal data from a database listed in 
subsection (1), 
(b) ”,and 
(c) at the end insert “, and 
(c) the destruction of other material from which biometric 
data contained in a database listed in subsection (1) is 


derived.” 
(6) Insubsection (3), for “guidance” substitute “a code or practice”. 
(7) Insubsection (4), omit “National DNA Database Strategy”. 
(8) Insubsection (5), omit “National DNA Database Strategy” 
(9) Insubsection (6), omit “National DNA Database Strategy”. 
(10) In subsection (7), omit “National DNA Database Strategy”. 
(11) Atthe end insert — 
“(10) The Secretary of State may by regulations made by statutory 
instrument — 
(a) oo the databases which the Board is required to oversee 


(i) adding a database operated for policing purposes which 
consists entirely or mainly of biometric data, or 
(ii) removing a database; 
(b) rename the Board; 
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(c) require or authorise the Board to issue a code of practice or 
guidance. 


(11) Regulations under subsection (10) may — 
(a) amend this section; 
(b) make different provision for different purposes; 


(c) make consequential, transitional, transitory or saving 
provision. 


(12) Regulations under this section may not be made unless a draft of the 
statutory instrument containing them has been laid before Parliament 
and approved by a resolution of each House. 


(13) In this section— 


“biometric data” means personal data resulting from specific 
technical processing relating to the physical, physiological or 
behavioural characteristics of an individual, which allows or 
confirms the unique identification of that individual, such as 
facial images or dactyloscopic data; 


“personal data” has the same meaning as in the Data Protection 
Act 2018 (see section 3(2) of that Act).” 


PART 6 


FINAL PROVISIONS 


106 Power to make consequential amendments 


(1) The Secretary of State may by regulations make provision that is consequential 
on any provision made by this Act. 


(2) Regulations under this section — 
(a) may make different provision for different purposes; 
(b) may include transitional, transitory or saving provision; 


(c) may amend, repeal or revoke any provision made by primary 
legislation passed or made before, or in the same Session as, this Act. 


(3) Regulations under this section that amend, repeal or revoke primary 
legislation are subject to the affirmative resolution procedure. 


(4) Any other regulations under this section are subject to the negative resolution 
procedure. 


(5) In this section, “primary legislation” means — 
(a) an Act of Parliament; 
) an Act of the Scottish Parliament; 
(c) a Measure or Act of Senedd Cymru; 
(d) Northern Ireland legislation; 
(e) retained direct principal EU legislation. 


107 Regulations 


(1) Regulations under this Act are to be made by statutory instrument. 
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(2) Where regulations under this Act are subject to “the affirmative resolution 
procedure” the regulations may not be made unless a draft of the statutory 
instrument containing them has been laid before Parliament and approved by 
a resolution of each House of Parliament. 


(3) Where regulations under this Act are subject to “the negative resolution 
procedure” the statutory instrument containing the regulations is subject to 
annulment in pursuance of a resolution of either House of Parliament. 


(4) Any provision that may be included in regulations under this Act subject to the 
negative resolution procedure may be made by regulations subject to the 
affirmative resolution procedure. 


108 Interpretation 


In this Act— 

“the 2018 Act” means the Data Protection Act 2018 (see section 1); 

“the UK GDPR” means Regulation (EU) 2016/679 of the European 
Parliament and of the Council of 27 April on the protection of natural 
persons with regard to the processing of personal data and on the free 
movement of such data. 


109 Financial provision 


There is to be paid out of money provided by Parliament — 


(a) any expenditure incurred under or by virtue of this Act by the Secretary of 
State, the Treasury or a government department, and 


(b) any increase attributable to this Act in the sums payable under any other Act 
out of money so provided. 


110 Extent 


(1) This Act extends to England and Wales, Scotland and Northern Ireland, subject 
to subsections (2) to (4). 


(2) The following provisions extend to England and Wales only — 
(a) sections 94 to 97 (registers of births and deaths); 


(b) section 99 and Schedule 12 (information standards for health and adult 
social care). 


(3) Paragraph 23 of Schedule 12A to the 2018 Act, inserted by Schedule 13 to this 
Act, extends to England and Wales and Northern Ireland only. 


(4) Subject to subsection (3), an amendment, repeal or revocation made by this Act 
has the same extent as the enactment amended, repealed or revoked. 


111 Commencement 


(1) Except as provided by subsections (2) and (3), this Act comes into force on such 
day as the Secretary of State may by regulations appoint. 


(2) The following provisions come into force on the day on which this Act is 
passed — 
(a) section 60 (report on the operation of Part 2); 
(b) section 75 (review of regulations under Part 3); 
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(c) this Part; 

(d) any other provision of this Act so far as it confers power to make 
regulations or is otherwise necessary for enabling the exercise of sucha 
power on or after the day on which this Act is passed. 


(3) The following provisions come into force at the end of the period of two 
months beginning with the day on which this Act is passed — 
(a) section 4 (consent of data subject to law enforcement processing); 
(b) section 13 (representatives of controllers or processors not established 
in the UK); 
(c) section 16 (logging of law enforcement processing); 
(d) section 34 (power of Commissioner to require documents); 
(e) section 105 (oversight of biometrics databases). 


(4) Regulations under this section may make different provision for different 
purposes. 
112 Transitional provision 


(1) The Secretary of State may by regulations make transitional, transitory or 
saving provision in connection with the coming into force of any provision of 
this Act 


(2) Regulations under this section may make provision amending or repealing a 
provision of Schedule 21 to the 2018 Act or Part 2 of Schedule 7 to this Act. 


(3) Regulations under this section containing provision described in subsection (2) 
are subject to the negative resolution procedure. 


(4) Regulations under this section may make different provision for different 
purposes. 
113 Short title 
This Act may be cited as the Data Protection and Digital Information Act 2022. 
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SCHEDULES 


SCHEDULE 1 Section 5 
LAWFULNESS OF PROCESSING: RECOGNISED LEGITIMATE INTERESTS 


In the UK GDPR, at the end insert — 


“ANNEX 1 


LAWFULNESS OF PROCESSING: RECOGNISED LEGITIMATE 
INTERESTS 


Disclosure for purposes of processing described in Article 6(1)(e) 
1.‘ This condition is met where — 

(a) the processing is necessary for the purposes of making a disclosure 
of personal data to another person in response to a request from the 
other person, and 

(b) the request states that the other person needs the personal data for 
the purposes of carrying out processing described in Article 6(1)(e) 
that has a legal basis that satisfies Article 6(3). 

National security, public security and defence 
2. This condition is met where the processing is necessary — 

(a) for the purposes of safeguarding national security, 

(b) for the purposes of protecting public security, or 

(c) for defence purposes. 


Emergencies 


3. This condition is met where the processing is necessary for the 
purposes of responding to an emergency. 


4. In paragraph 3, “emergency” has the same meaning as in Part 2 of the 
Civil Contingencies Act 2004. 


Crime 
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5. This condition is met where the processing is necessary for the 
purposes of — 


(a) detecting, investigating or preventing crime, or 
(b) apprehending or prosecuting offenders. 
Safeguarding vulnerable individuals 


6. This condition is met where the processing is necessary for the 
purposes of safeguarding a vulnerable individual. 


7. In paragraph 6— 
“safeguarding”, in relation to a vulnerable individual, means — 


(a) protecting a vulnerable individual from neglect or physical, mental 
or emotional harm, or 


(b) protecting the physical, mental or emotional well-being of a 
vulnerable individual; 


“vulnerable individual” means an individual — 
(a) aged under 18, or 
(b) aged 18 or over and at risk. 
8. For the purposes of paragraph 7 — 
(a) protection of an individual, or of the well-being of an individual, 
includes both protection relating to a particular individual and 


protection relating to a type of individual, and 


(b) an individual aged 18 or over is “at risk” if the controller has 
reasonable cause to suspect that the individual — 


(i) has needs for care and support, 


(ii) is experiencing, or at risk of, neglect or physical, mental or 
emotional harm, and 


(iii) as a result of those needs is unable to protect themselves 
against the neglect, harm or risk. 


Democratic engagement 
9. This condition is met where — 


(a) the processing is carried out for the purposes of democratic 
engagement, and 


(b) the data subject is aged 14 or over. 
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10. 


11. 


For the purposes of paragraph 9, processing is carried out for the 
purposes of democratic engagement if — 


(a) 


the processing — 


(i) 


(ii) 


is carried out by an elected representative or a person acting 
with the authority of such a representative, and 


is necessary for the purposes of discharging the elected 
representative’s functions or for the purposes of the elected 
representative’s democratic engagement activities, 


the processing — 


is carried out by a person or organisation included in a 
register maintained under section 23 of the Political Parties, 
Elections and Referendums Act 2000, and 


is necessary for the purposes of the person’s or 
organisation’s democratic engagement activities, for the 
purposes of assisting an elected representative with their 
functions or democratic engagement activities or for the 
purposes of assisting with a candidate’s campaign for 
election as an elected representative, 


the processing — 


(i) 


(ii) 


is carried out by a candidate for election as an elected 
representative or a person acting with the authority of sucha 
candidate, and 


is necessary for the purposes of the candidate’s campaign for 
election, 


the processing — 


(i) 


(ii) 


is carried out by a permitted participant in relation to a 
referendum or a person acting with the authority of such a 
person, and 


is necessary for the purposes of the permitted participant’s 
campaigning in connection with the referendum, or 


the processing — 


(i) 


(ii) 


is carried out by an accredited campaigner in relation to a 
recall petition or a person acting with the authority of sucha 
person, and 


is necessary for the purposes of the accredited campaigner’s 
campaigning in connection with the recall petition. 


In paragraph 10— 
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12. 


“accredited campaigner” has the meaning given in Part 5 of Schedule 3 
to the Recall of MPs Act 2015; 


“candidate”, in relation to election as an elected representative, has the 
meaning given by the provisions listed in the relevant entry in the second 
column of the table in paragraph 12; 


“democratic engagement activities” means activities whose purpose is to 
support or promote democratic engagement; 


“elected representative” means a person listed in the first column of the 
table in paragraph 12 and see also paragraphs 13 and 14; 


“permitted participant” has the same meaning as in Part 7 of the Political 
Parties, Elections and Referendums Act 2000 (referendums) (see section 
105 of that Act); 


“recall petition” has the same meaning as in the Recall of MPs Act 2015 
(see section 1(2) of that Act); 


“referendum” means a referendum or other poll held on one or more 
questions specified in, or in accordance with, an enactment. 


This is the table referred to in paragraph 11— 


Elected representative Candidate for election as an elected 
representative 


(a) a member of the House of | section 118A of the Representation 


Commons of the People Act 1983 
(b) amember of the Senedd | article 84(2) of the National 
Assembly for Wales 


(Representation of the People) 
Order 2007 (S.I. 2007/236) 


(c) a member of the Scottish | article 80(1) of the Scottish 
Parliament Parliament (Elections etc) Order 
2015 (S.S.I. 2015/425) 


(d) a member of _ the | section 118A of the Representation 
Northern Ireland Assembly | of the People Act 1983, as applied 
by the Northern Ireland Assembly 
(Elections) Order 2001 (S.I. 2001/ 
2599) 
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Elected representative 


Candidate for election as an elected 
representative 


(e) an elected member of a 
local authority within the 
meaning of section 270(1) of 
the Local Government Act 
1972, namely — 

(i) in England, a county 
council, a district 
council, a London 
borough council or a 
parish council; 

(ii) in Wales, a county 
council, a county 
borough council or a 
community council; 


(f) an elected mayor of a local 
authority within the 
meaning of Part 1A or 2 of 
the Local Government Act 
2000 


(g) a mayor for the area of a 
combined authority 
established under section 103 
of the Local Democracy, 
Economic Development and 
Construction Act 2009 


(h) the Mayor of London or 
an elected member of the 
London Assembly 


(i) an elected member of the 
Common Council of the City 
of London 


(j) an elected member of the 
Council of the Isles of Scilly 


(k) an elected member of a 
council constituted under 
section 2 of the Local 
Government etc (Scotland) 
Act 1994 


(1) an elected member of a 
district council within the 
meaning of the Local 
Government Act (Northern 
Ireland) 1972 (c. 9 (N.L)) 


section 118A of the Representation 
of the People Act 1983 


section 118A of the Representation 
of the People Act 1983, as applied 
by the Local Authorities (Mayoral 
Elections) (England and Wales) 
Regulations 2007 (S.I. 2007/1024) 


section 118A of the Representation 
of the People Act 1983, as applied 
by the Combined Authorities 
(Mayoral Elections) Order 2017 
(S.I. 2017/67) 


section 118A of the Representation 
of the People Act 1983 


section 118A of the Representation 
of the People Act 1983 


section 118A of the Representation 
of the People Act 1983 


section 118A of the Representation 
of the People Act 1983 


section 130(3A) of the Electoral 
Law Act (Northern Ireland) 1962 
(c. 9 (N.L)) 
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Elected representative Candidate for election as an elected 
representative 


(m) a police and crime | article 3 of the Police and Crime 
commissioner Commissioner Elections Order 
2012 (S.I. 2012/1917) 


13. For the purposes of the definition of “elected representative” in 
paragraph 11, a person who is — 


(a) a member of the House of Commons immediately before 
Parliament is dissolved, 


(b) a member of the Senedd immediately before Senedd Cymru is 
dissolved, 


(c) a member of the Scottish Parliament immediately before that 
Parliament is dissolved, or 


(d) amember of the Northern Ireland Assembly immediately before 
that Assembly is dissolved, 


is to be treated as if the person were such a member until the end of the 
fourth day after the day on which the subsequent general election in 
relation to that Parliament or Assembly is held. 


14. For the purposes of the definition of “elected representative” in 
paragraph 11, a person who is an elected member of the Common 
Council of the City of London and whose term of office comes to an 
end at the end of the day preceding the annual Wardmotes is to be 


treated as if the person were such a member until the end of the fourth 
day after the day on which those Wardmotes are held.” 


SCHEDULE 2 Section 6 


PURPOSE LIMITATION: PROCESSING TO BE TREATED AS COMPATIBLE WITH ORIGINAL 
PURPOSE 


In the UK GDPR, after Annex 1 (inserted by Schedule 1 to this Act) insert — 


“ANNEX 2 


PURPOSE LIMITATION: PROCESSING TO BE TREATED AS 
COMPATIBLE WITH ORIGINAL PURPOSE 


Disclosure for purposes of processing described in Article 6(1)(e) 
1.‘ This condition is met where — 


(a) the processing is necessary for the purposes of making a disclosure 
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of personal data to another person in response to a request from the 
other person, 


(b) the request states that the other person needs the personal data for 
the purposes of carrying out processing that — 


(i) is described in Article 6(1)(e), 
(ii) has a legal basis that satisfies Article 6(3), and 


(iii) isnecessary to safeguard an objective listed in Article 23(1)(c) 
to (j), and 


(c) the processing is not carried out by a public authority in the 
performance of its tasks. 


Public security 


2. This condition is met where the processing is necessary for the 
purposes of protecting public security. 


Emergencies 


3. | This condition is met where the processing is necessary for the 
purposes of responding to an emergency. 


4. In paragraph 2, “emergency” has the same meaning as in Part 2 of the 
Civil Contingencies Act 2004. 


Crime 


5. This condition is met where the processing is necessary for the 
purposes of — 


(a) detecting, investigating or preventing crime, or 
(b) apprehending or prosecuting offenders. 
Protection of vital interests of data subjects and others 
6. | This condition is met where the processing is necessary for the 
purposes of protecting the vital interests of the data subject or another 
individual. 


Safeguarding vulnerable individuals 


7. This condition is met where the processing is necessary for the 
purposes of safeguarding a vulnerable individual. 


8. In paragraph 7— 


“safeguarding”, in relation to a vulnerable individual, means — 
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(a) protecting a vulnerable individual from neglect or physical, mental 
or emotional harm, or 


(b) protecting the physical, mental or emotional well-being of a 
vulnerable individual; 


“vulnerable individual” means an individual — 5 
(a) aged under 18, or 
(b) aged 18 or over and at risk. 
9. For the purposes of paragraph 8 — 
(a) protection of an individual, or of the well-being of an individual, 
includes both protection relating to a particular individual and 10 


protection relating to a type of individual, and 


(b) an individual aged 18 or over is “at risk” if the controller has 
reasonable cause to suspect that the individual — 


(i) has needs for care and support, 


(ii) is experiencing, or at risk of, neglect or physical, mental or 15 
emotional harm, and 


(iii) as a result of those needs is unable to protect themselves 
against the neglect, harm or risk. 


Taxation 


10. This condition is met where the processing is carried out for the 20 
purposes of the assessment or collection of a tax or duty or an 
imposition of a similar nature. 


Legal obligations 


11. This condition is met where the processing is necessary for the 
purposes of complying with an obligation of the controller under an 25 
enactment, a rule of law or an order of a court or tribunal.” 


SCHEDULE 3 Section 11 
AUTOMATED DECISION-MAKING: CONSEQUENTIAL AMENDMENTS 
The UK GDPR 


1 The UK GDPR is amended as follows. 30 


2 (1) Article 12 (transparent information, communication and modalities for the 
exercise of the rights of the data subject) is amended as follows. 
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(2) In paragraph 1, for “under Articles 15 to 22” substitute “made under or by 
virtue of Articles 15 to 22D”. 


3) In paragraph 2, for “22” (in both places) substitute “22D”. 
paragrap P 


(4) In paragraph 3, for “under Articles 15 to 22” substitute “made under or by 
virtue of Articles 15 to 22D”. 


(5) In paragraph 5, for “under Articles 15 to 22” substitute “under or by virtue 
of Articles 15 to 22D”. 


In Article 13(2)(f) (information about automated decision-making to be 
provided where personal data is collected from the data subject), for 
“referred to in Article 22(1) and (4)” substitute “which is subject to the 
requirement to provide safeguards under Article 22C”. 


In Article 14(2)(g) (information about automated decision-making to be 
provided where personal data is not obtained from the data subject), for 
“referred to in Article 22(1) and (4)” substitute “which is subject to the 
requirement to provide safeguards under Article 22C”. 


In Article 15(1)(h) (right of access by the data subject), for “referred to in 
Article 22(1) and (4)” substitute “which is subject to the requirement to 
provide safeguards under Article 22C”. 


In the heading of Section 4 of Chapter 3, omit “and automated decision- 
making”. 


In Article 23(1) (restrictions), for “in Articles 12 to 22” (in both places) 
substitute “in or under Articles 12 to 22D”. 


In Article 47(2)(e) (binding corporate rules), for the words from “the right 
not” to “Article 22” substitute “the right to protection in connection with 
decisions (including profiling) based solely on automated processing in 
accordance with, and with regulations made under, Articles 22A to 22D”. 


In Article 83(5)(b) (general conditions for imposing administrative fines), for 
“22” substitute “22D”. 


The 2018 Act 


10 
11 


12 


13 


14 


The 2018 Act is amended as follows. 


Omit section 14 (automated decision-making authorised by law: 
safeguards). 


In section 43(1)(d) (overview and scope of provisions in Part 3 about rights 
of the data subject), for “sections 49 and 50” substitute “sections 50A to 50D”. 


Section 52 (form of provision of information etc) is amended as follows. 
In subsection (3), for “, 47 or 50” substitute “or 47”. 
In subsection (6), for “50” substitute “50D”. 


Section 53 (manifestly unfounded or excessive requests by the data subject) 
is amended as follows. 


(2) Insubsection (A1) (inserted by section 7 of this Act), for “, 47 or 50” substitute 
“or 47”. 
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(3) In subsection (3), for “, 47 or 50” substitute “or 47”. 


15 In section 149(2)(b) (enforcement notices) — 
(a) after “provision of” insert “or made under”, and 
(b) for “22” substitute “22D”. 


16 In section 157(2)(a) (maximum amount of penalty), for “49,” substitute “SOB, 
5 C ” 


ye 


SCHEDULE 4 Section 20 


OBLIGATIONS OF CONTROLLERS AND PROCESSORS: CONSEQUENTIAL AMENDMENTS 


The UK GDPR 
1 The UK GDPR is amended as follows. 
2 In Article 4(1) (definitions), after point (11) insert — 


“(11A) “senior responsible individual” means an individual designated 
as the senior responsible individual of a controller or processor 
under Article 27A;”. 


3 In Article 13(1)(b) (information to be provided where personal data is 
collected from the data subject), for “data protection officer” substitute 
“senior responsible individual”. 


4 In Article 14(1)(b) (information to be provided where personal data has not 
been obtained from the data subject), for “data protection officer” substitute 
“senior responsible individual”. 


5 In the heading of Section 1 of Chapter 4 (general obligations), at the end 
insert “of the controller”. 


6 In Article 33(3)(b) (notification of a personal data breach to the 
Commissioner), for “data protection officer” substitute “senior responsible 
individual”. 

7 In Article 47(2)(h) (binding corporate rules), for “data protection officer 
designated in accordance with Article 37” substitute “senior responsible 
individual”. 

8 In Article 49(6) (derogations for specific authorities: documenting 
assessment), for “30” substitute “30A”. 


9 (1) Article 57 (tasks of the Information Commissioner) is amended as follows. 


(2) In paragraph 1(k), for “in relation to the requirement for data protection 
impact assessment” substitute “of kinds of processing operations”. 


(3) In paragraph 3, for “data protection officer” substitute “senior responsible 
individual”. 


10 (1) Article 83 (general conditions for imposing an administrative fine) is 
amended as follows. 
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(2) In paragraph 2(c), at the end insert “, including any consultation under 
Article 36(1)”. 


3) In paragraph 2(d), omit “technical and organisational”. 
paragrap 8 


(4) In paragraph 4(a), for “39” substitute “36”. 


The 2018 Act 
11 The 2018 Act is amended as follows. 
12 In section 33 (other definitions for Part 3), after subsection (6) insert — 


“(6A) “Senior responsible individual” means an individual designated as 
the senior responsible individual of a controller or processor under 
section 58A.” 


13 In section 44(1)(b) (controller’s duty to provide information), for “data 
protection officer (see sections 69 to 71)” substitute “senior responsible 
individual”. 

14 In section 55(1) (overview of provisions in Part 3 about controllers and 
processors) — 


(a) in paragraph (a), for “and processors (see sections 56 to 65)” 
substitute “(see sections 56 to 58)”, 
(b) after that paragraph insert — 

“(aa) makes provision for the designation, tasks and 
position of senior responsible individuals (see 
sections 58A to 58C); 

(ab) makes provision about processors (see section 59) and 
processing under the authority of the controller or 
processor (see section 60); 

(ac) makes provision about records (see sections 61A and 
62) and co-operation with the Commissioner (see 
section 63); 

(ad) makes provision about risk assessment (see section 
64) and prior consultation with the Commissioner 
(see section 65);”, and 

(c) omit paragraph (d). 


15 In section 67(4)(b) (notification of a personal data breach to the 
Commissioner), for “data protection officer” substitute “senior responsible 
individual”. 


16 In section 68(2)(b) (communication of a personal data breach to the data 
subject), for “data protection officer” substitute “senior responsible 
individual”. 


17 (1) Section 134 (Commissioner’s power to charge fees for services) is amended 
as follows. 


(2) The existing text becomes subsection (1). 


(3) In that subsection, for “data protection officer” substitute “senior responsible 
individual”. 
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(4) After that subsection insert — 


“(2) Inthis section and section 135, “senior responsible individual” means 
an individual designated as the senior responsible individual of a 
controller or processor under Article 27A of the UK GDPR or section 
58A of this Act.” 


In section 135(1) (manifestly unfounded or excessive requests by data 
subject etc), for “data protection officer” substitute “senior responsible 
individual”. 
In section 149(2)(c) (enforcement notices) — 

(a) for “39” substitute “35”, and 

(b) omit “or 65”. 


In section 155(3) (penalty notices) — 
(a) in paragraph (c), at the end insert “, including any consultation under 
section 65”, and 
(b) in paragraph (d), omit “technical and organisational”. 


In section 206 (index of defined expressions), in the Table, at the appropriate 
place insert — 


“senior responsible individual (in | section 33”. 
Part 3) 


In paragraph 41 of Schedule 1 (additional safeguards for processing of 
special categories of personal data etc: record of processing), for “30” 
substitute “30A”. 


In paragraph 9 of Schedule 21 (further transitional provision etc: transfers 
under the UK GDPR subject to appropriate safeguards provided by binding 
corporate rules) — 
(a) in sub-paragraph (5B)(c)(i), for “data protection officer” substitute 
“senior responsible individual”, and 
(b) in sub-paragraph (7), at the end insert — 
““senior responsible individual” means a_ person 
designated as a senior responsible individual under 
Article 27A of the UK GDPR or section 58A of this 
Act.” 


SCHEDULE 5 Section 21 


TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES ETC: GENERAL PROCESSING 


Introduction 


1 


Chapter 5 of the UK GDPR (transfers of personal data to third countries or 
international organisations) is amended as follows. 
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General principles for transfers 


2 (1) Omit Article 44 (transfers of personal data to third countries etc: general 
principles for transfers). 


(2) After that Article insert — 
“Article 44A 
General principles for transfers 


1. Acontroller or processor may transfer personal data to a third country 
or an international organisation only if — 


(a) the condition in paragraph 2 is met, and 


(b) the transfer is carried out in compliance with the other provisions 
of this Regulation. 


2. The condition is met if the transfer — 


(a) is approved by regulations under Article 45A that are in force at 
the time of the transfer, 


(b) is made subject to appropriate safeguards (see Article 46), or 


(c) is made in reliance on a derogation for special situations (see 


Article 49). 
3. A transfer may not be made in reliance on paragraph 2(b) or (c) if, or 
to the extent that, it would breach a restriction in regulations under Article 


49A.” 
Transfers approved by regulations 
3 Omit Article 45 (transfers on the basis of an adequacy decision). 
4 After that Article insert — 
“Article 45A 
Transfers approved by regulations 


1. For the purposes of Article 44A, the Secretary of State may by 
regulations approve transfers of personal data to— 


(a) athird country, or 
(b) aninternational organisation. 


2. The Secretary of State may only make regulations under this Article 
approving transfers to a third country or international organisation if the 
Secretary of State considers that the data protection test is met in relation to 
the transfers (see Article 45B). 
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3. In making regulations under this Article, the Secretary of State may 
have regard to any matter which the Secretary of State considers relevant, 
including the desirability of facilitating transfers of personal data to and 
from the United Kingdom. 

4. Regulations under this Article may, among other things — 


(a) make provision in relation to a third country or international 
organisation specified in the regulations or a description of 
country or organisation; 


(b) approve all transfers of personal data to a third country or 
international organisation or only transfers specified or described 
in the regulations; 


(c) identify a transfer of personal data by any means, including by 
reference to— 


(i) | asector or geographic area within a third country, 

(ii) the controller or processor, 

(iii) the recipient of the personal data, 

(iv) the personal data transferred, 

(v) | the means by which the transfer is made, or 

(vi) relevant legislation, schemes, lists or other arrangements or 
documents, as they have effect from time to time; 


(d) confer a discretion on a person. 


5. Regulations under this Article are subject to the negative resolution 
procedure. 


Article 45B 
The data protection test 


1. For the purposes of Article 45A, the data protection test is met in 
relation to transfers of personal data to a third country or international 
organisation if the standard of the protection provided for data subjects with 
regard to general processing of personal data in the country or by the 
organisation is not materially lower than the standard of the protection 
provided for data subjects by or under — 


(a) this Regulation, 
(b) Part 2 of the 2018 Act, and 


(c) Parts 5 to 7 of that Act, so far as relevant to general processing. 


10 


15 


20 


25 


30 


134 


Data Protection and Digital Information Bill 
Schedule 5 — Transfers of personal data to third countries etc: general processing 


2. In considering whether the data protection test is met in relation to 
transfers of personal data to a third country or international organisation, 
the Secretary of State must consider, among other things — 


(a) 


(b) 


respect for the rule of law and for human rights in the country or 
by the organisation, 


the existence, and powers, of an authority responsible for 
enforcing the protection of data subjects with regard to the 
processing of personal data in the country or by the organisation, 


arrangements for judicial or non-judicial redress for data subjects 
in connection with such processing, 


rules about the transfer of personal data from the country or by the 
organisation to other countries or international organisations, 


relevant international obligations of the country or organisation, 
and 


the constitution, traditions and culture of the country or 
organisation. 


3. In paragraphs 1 and 2— 


(a) 


(b) 


(c) 


the references to the protection provided for data subjects are to 
that protection taken as a whole, 


the references to general processing are to processing to which this 
Regulation applies or equivalent types of processing in the third 
country or by the international organisation (as appropriate), and 


the references to processing of personal data in the third country or 
by the international organisation are references only to the 
processing of personal data transferred from the United Kingdom. 


4. When the data protection test is applied only to certain transfers to a 
third country or international organisation that are specified or described, or 
to be specified or described, in regulations (in accordance with Article 
45A(4)(b)) — 


(a) 


(b) 


the references in paragraphs 1 to 3 to personal data are to be read 
as references only to personal data likely to be the subject of such 
transfers, and 


the reference in paragraph 2(d) to the transfer of personal data to 
other countries or international organisations is to be read as a 
including the transfer of personal data within the third country or 
international organisation.” 
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Transfers approved by regulations: monitoring 


5 


After Article 45B (inserted by paragraph 4) insert — 


“Article 45C 
Transfers approved by regulations: monitoring 


1. The Secretary of State must, on an ongoing basis, monitor 
developments in third countries and international organisations that could 
affect decisions to make regulations under Article 45A or to amend or 
revoke such regulations. 


2. | Where the Secretary of State becomes aware that the data protection 
test is no longer met in relation to transfers approved, or of a description 
approved, in regulations under Article 45A, the Secretary of State must, to 
the extent necessary, amend or revoke the regulations. 


3. | Where regulations under Article 45A are amended or revoked in 
accordance with paragraph 2, the Secretary of State must enter into 
consultations with the third country or international organisation concerned 
with a view to improving the protection provided to data subjects with 
regard to the processing of personal data in the country or by the 
organisation. 


4. The Secretary of State must publish — 


(a) alist of the third countries and international organisations, and the 
descriptions of such countries and organisations, which are for the 
time being approved by regulations under Article 45A as places or 
persons to which personal data may be transferred, and 


(b) alist of the third countries and international organisations, and the 
descriptions of such countries and organisations, which have been 
but are no longer approved by such regulations. 


5. In the case of regulations under Article 45A which approve only 
certain transfers to a third country or international organisation specified or 
described in the regulations (in accordance with Article 45A(4)(b)), the lists 
published under paragraph 4 must specify or describe the relevant 
transfers.” 


Transfers subject to appropriate safeguards 


6 


(1) Article 46 (transfers subject to appropriate safeguards) is amended as 


follows. 


(2) Omit paragraph 1. 
(3) After that paragraph insert — 


“1A. A transfer of personal data to a third country or an international 
organisation by a controller or processor is made subject to appropriate 
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safeguards only — 
(a) inacase in which— 


(b) 


(i) | safeguards are provided in connection with the transfer as 
described in paragraph 2 or 3 or regulations made under 
Article 47A(4), and 


(ii) the controller or processor, acting reasonably and 
proportionately, considers that the data protection test is met 
in relation to the transfer or that type of transfer (see 
paragraph 6), or 


in a case in which— 


(i) | safeguards are provided in accordance with paragraph 2(a) 
by an instrument that is intended to be relied on in 
connection with the transfer or that type of transfer, and 


(ii) _ each public body that is a party to the instrument, acting 
reasonably and proportionately, considers that the data 
protection test is met in relation to the transfers, or types of 
transfer, intended to be made in reliance on the instrument 
(see paragraph 6).” 


(4) In paragraph 2— 


(a) 


in the words before point (a) — 

(i) omit “appropriate”, and 

(ii) for “paragraph 1” substitute “paragraph 1A(a)”, 
in point (a), for “public authorities or bodies” substitute “a public 
body and another relevant person or persons”, 
in point (b), after “rules” insert “approved”, 
in point (c), for “section 17C of the 2018 Act” substitute “Article 
47A(1)”, 
in point (e), for “appropriate safeguards” substitute “safeguards 
provided by the code”, and 
in point (f), “appropriate safeguards” substitute “safeguards 
provided by the mechanism”. 


5) In paragraph 3, in the words before point (a) — 
paragrap P 


(a) 
) 
(c) 
) 


gan 


omit “appropriate”, 

for “paragraph 1” substitute “paragraph 1A(a)”, 

omit “, in particular,”, and 

in point (b), for “public authorities or bodies” substitute “a public 
body and another relevant person or persons”. 


(6) At the end insert — 


“6, 


For the purposes of this Article, the data protection test is met in 


relation to a transfer, or a type of transfer, of personal data if, after the 
transfer, the standard of the protection provided for the data subject with 
regard to that personal data by the safeguards required under paragraph 
1A, and (where relevant) by other means, would not be materially lower 


10 


15 


20 


25 


30 


35 


40 


Data Protection and Digital Information Bill 137 
Schedule 5 — Transfers of personal data to third countries etc: general processing 


than the standard of the protection provided for the data subject with regard 
to the personal data by or under — 


(a) this Regulation, 
(b) Part 2 of the 2018 Act, and 


(c) Parts 5 to 7 of that Act, so far as relevant to processing to which this 
Regulation applies. 


7. For the purposes of paragraph 1A(a)(ii) and (b)(ii), what is reasonable 
and proportionate is to be determined by reference to all the circumstances, 
or likely circumstances, of the transfer or type of transfer, including the 
nature and volume of the personal data transferred. 


8. In this Article — 


a references to the protection provided for the data subject are to that 
Pp Pp 
protection taken as a whole; 


(b) “relevant person” means a public body or another person 
exercising functions of a public nature.” 


In the heading of Article 47 (binding corporate rules) at the beginning insert 
“Transfers subject to appropriate safeguards:”. 


After Article 47 insert — 


“Article 47A 
Transfers subject to appropriate safeguards: further provision 


1. The Secretary of State may by regulations specify standard data 
protection clauses which the Secretary of State considers are capable of 
securing that the data protection test set out in Article 46 is met in relation to 
transfers of personal data generally or in relation to a type of transfer 
specified in the regulations. 


2. The Secretary of State must keep under review the standard data 
protection clauses specified in regulations under paragraph 1 that are for the 
time being in force. 


3. Regulations under paragraph 1 are subject to the negative resolution 
procedure. 
4. The Secretary of State may by regulations make provision about 


further safeguards that may be relied on for the purposes of Article 
46(1A)(a). 


5. The Secretary of State may only make regulations under paragraph 4 
if the Secretary of State considers that the further safeguards are capable of 
securing that the data protection test set out in Article 46 is met in relation to 
transfers of personal data generally or in relation to a type of transfer 
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specified in the regulations. 
6. Regulations under paragraph 4 may (among other things) — 


(a) make provision by adopting safeguards prepared or published by 
another person; 


(b) make provision about ways of providing safeguards which require 
authorisation from the Commissioner; 


(c) amend Article 46 by — 
(i) adding ways of providing safeguards, or 


(ii) varying or omitting ways of providing safeguards which 
were added by regulations under this Article. 


7. Regulations under paragraph 4 are subject to the affirmative 
resolution procedure.” 


Derogations for specific circumstances 


9 (1) Article 49 (derogations for specific situations) is amended as follows. 


(2) In paragraph 1, in the first subparagraph — 

(a) for “adequacy regulations under section 17A of the 2018 Act, or of 
appropriate safeguards pursuant to Article 46, including binding 
corporate rules” substitute “approval by regulations under Article 
45A and of compliance with Article 46 (appropriate safeguards)”, 
and 

(b) in point (a), for “an adequacy decision” substitute “approval by 
regulations under Article 45A”. 


(3) In paragraph 1, in the second subparagraph, for “a provision in Article 45” 
substitute “Article 45A”. 


(4) In paragraph 4, for “section 18(1) of the 2018 Act” substitute “paragraph 4A”. 
(5) After paragraph 4 insert — 


“4A. The Secretary of State may by regulations specify for the purposes of 
point (d) of paragraph 1— 


(a) circumstances in which a transfer of personal data to a third 
country or international organisation is to be taken to be necessary 
for important reasons of public interest, and 


(b) circumstances in which a transfer of personal data to a third 
country or international organisation which is not required by an 
enactment is not to be taken to be necessary for important reasons 
of public interest.” 


(6) Omit paragraph 5A. 
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(7) After paragraph 6 insert — 
“7. Regulations under this Article — 


(a) are subject to the made affirmative resolution procedure where the 
Secretary of State has made an urgency statement in respect of 
them; 


(b) otherwise, are subject to the affirmative resolution procedure. 


8. For the purposes of this Article, an urgency statement is a reasoned 
statement that the Secretary of State considers it desirable for the regulations 
to come into force without delay.” 


Public interest restrictions 


10 After Article 49 insert — 


“Article 49A 


1. The Secretary of State may by regulations restrict the transfer of a 
category of personal data to a third country or international organisation 
where — 


(a) the transfer is not approved by regulations under Article 45A for 
the time being in force, and 


(b) the Secretary of State considers the restriction to be necessary for 
important reasons of public interest. 


2. Regulations under this Article — 


(a) are subject to the made affirmative resolution procedure where the 
Secretary of State has made an urgency statement in respect of 
them; 


(b) otherwise, are subject to the affirmative resolution procedure. 


3. For the purposes of this Article, an urgency statement is a reasoned 
statement that the Secretary of State considers it desirable for the regulations 
to come into force without delay.” 


SCHEDULE 6 Section 21 
TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES ETC: LAW ENFORCEMENT 
PROCESSING 
Introduction 
1 Chapter 5 of Part 3 of the 2018 Act (transfers of personal data to third 


countries etc) is amended as follows. 
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Overview and interpretation 


2 In section 72 (overview and interpretation), for subsection (2) substitute — 


“(2) In this Chapter — 


“relevant authority”, in relation to a third country, means any 
person based in a third country that has (in that country) 
functions comparable to those of a competent authority; 


“relevant international organisation” means an international 
organisation that carries out functions for any of the law 
enforcement purposes; 


“relevant restricted transfer case” means (subject to subsection 
(3)) a case in which the personal data was originally made 
available to a competent authority (whether the current 
controller or a previous controller) — 

(a) by a relevant authority in a third country or by a 
relevant international organisation, and 


(b) subject to a condition (however imposed) that the 
data is not to be transferred to a third country or 
international organisation without authorisation 
from that authority or organisation or another such 
authority or organisation; 


“overseas authoriser”, in connection with a relevant restricted 
transfer case, means the person whose authorisation is 
required. 


(3) Inacase in which the personal data was originally made available to 
a competent authority subject to a condition that only requires 
authorisation for further transfers in certain circumstances, the case 
is a relevant restricted transfer case only in those circumstances.” 


General principles for transfer 


3. (1) Section 73 (general principles for transfers) is amended as follows. 


(2) In subsection (1) — 
(a) for “may not “substitute “may”, 
) for “unless” substitute “for a law enforcement purpose only if”, 
(c) omit paragraph (b) (and the “and” before it), and 
) after that paragraph insert — 


“(c) the transfer is carried out in accordance with the other 
provisions of this Part, and 


(d) in a relevant restricted transfer case, the overseas 
authoriser has authorised the transfer or subsection 
(5) applies.” 


(3) For subsection (3) substitute — 


“(3) Condition 2 is that the transfer — 


(a) is approved by regulations under section 74AA that are in 
force at the time of the transfer, 


(b) is made subject to appropriate safeguards (see section 75), or 
(c) is based on special circumstances (see section 76).” 


(4) In subsection (5) — 
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(a) for the words before paragraph (a) substitute “This subsection 
applies if—”, 

(b) in paragraph (a), for the words from “either” to “State” substitute “to 
the public security, national security or essential interests of a third 
country or the United Kingdom”, and 


(c) in paragraph (b), for “the authorisation” substitute “authorisation 
from the overseas authoriser”. 


(5) In subsection (6) — 


(a) for “without the authorisation” substitute “in a relevant restricted 
transfer case without the authorisation from the overseas 
authoriser”, and 


(b) for the words from “(1)(b)” to “the transfer” substitute “(1)(d), the 
overseas authoriser”. 


(6) Omit subsection (7). 
Transfers approved by regulations 


4 (1) Omit section 74A (transfers based on adequacy decisions). 
(2) After that section insert — 
“74AA Transfers approved by regulations 


(1) For the purposes of section 73, the Secretary of State may by 
regulations approve transfers of personal data to— 


(a) a third country, or 
(b) aninternational organisation. 


(2) The Secretary of State may only make regulations under this section 
approving transfers to a third country or international organisation 
if the Secretary of State considers that the data protection test is met 
in relation to the transfers (see section 74AB). 


(3) In making regulations under this section, the Secretary of State may 
have regard to any matter which the Secretary of State considers 
relevant, including the desirability of facilitating transfers of 
personal data to and from the United Kingdom. 


(4) Regulations under this section may, among other things — 


(a) make provision by reference to a third country or 
international organisation specified in the regulations or a 
description of country or organisation; 


(b) approve all transfers of personal data to a third country or 
international organisation or only transfers specified or 
described in the regulations; 


(c) identify a transfer of personal data by any means, including 
by reference to— 


(i) asector or geographic area within a third country, 
i) the controller or processor, 
(iii) the recipient of the personal data, 

) the personal data transferred, 

) the means by which the transfer is made, or 
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(vi) relevant legislation, schemes, lists or other 
arrangements or documents, as they have effect from 
time to time; 


(d) confer a discretion on a person. 


5) Regulations under this section are subject to the negative resolution 
8 8 
procedure. 


74AB The data protection test 


(1) For the purposes of section 74AA, the data protection test is met in 
relation to transfers to a third country or international organisation if 
the standard of the protection provided for data subjects with regard 
to law enforcement processing of personal data in the country or by 
the organisation is not materially lower than the standard of the 
protection provided for data subjects by or under — 


(a) this Part, and 
(b) Parts 5 to 7, so far as relevant to law enforcement processing. 


(2) In considering whether the data protection test is met in relation to 
transfers of personal data to a third country or international 
organisation, the Secretary of State must consider, among other 
things — 

(a) respect for the rule of law and for human rights in the country 
or by the organisation, 

(b) the existence, and powers, of an authority responsible for 
enforcing the protection of data subjects with regard to the 
processing of personal data in the country or by the 
organisation, 

(c) arrangements for judicial or non-judicial redress for data 
subjects in connection with such processing, 

(d) rules about the transfer of personal data from the country or 
by the organisation to other countries or international 
organisations, 

(e) relevant international obligations of the country or 
organisation, and 

(f) the constitution, traditions and culture of the country or 
organisation. 


(3) Insubsections (1) and (2) — 

(a) the references to the protection provided for data subjects are 
to that protection taken as a whole, 

(b) the references to law enforcement processing are to 
processing by a competent authority for any of the law 
enforcement purposes or equivalent types of processing in 
the third country or by the international organisation (as 
appropriate), and 

(c) the references to processing of personal data in the third 
country or by the international organisation are references 
only to the processing of personal data transferred from the 
United Kingdom. 


(4) When the data protection test is applied only to certain transfers to a 
third country or international organisation that are specified or 
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described, or to be specified or described, in regulations (in 
accordance with section 74AA(4)(b)) — 

(a) the references in subsections (1) to (3) to personal data are to 
be read as references only to personal data likely to be the 
subject of such transfers, and 

(b) the reference in subsection (2)(d) to the transfer of personal 
data to other countries or international organisations is to be 
read as including the transfer of personal data within the 
third country or international organisation.” 


Transfers approved by regulations: monitoring 


5 (1) Section 74B (transfers based on adequacy regulations: review etc) is 
amended as follows. 


(2) For the heading substitute “Transfers approved by regulations: monitoring”. 
(3) Omit subsections (1) and (2). 


(4) In subsection (3), for “under section 74A” substitute “giving approval under 
section 74AA”. 


(5) Insubsection (4), for the words from the beginning to “otherwise,” substitute 
“Where the Secretary of State becomes aware that the data protection test is 
no longer met in relation to transfers to approved, or of a description 
approved, in regulations under section 74AA,”. 


— 
nN 
wm 


In subsection (5) — 
(a) for “section 74A” substitute “section 74AA”, and 
(b) for “remedying the lack of an adequate level of protection” substitute 
“improving the protection provided to data subjects with regard to 
the processing of personal data in the country or by the 
organisation”. 


— 
N 
—_, 


In subsection (6)(a) — 
(a) omit“, territories and specified sectors within a third country”, 
(b) omit“, territories, sectors”, and 


(c) for “specified in regulations under section 74A” substitute 
“approved by regulations under section 74AA as places or persons to 
which personal data may be transferred”. 


In subsection (6)(b) — 
(a) omit“, territories and specified sectors within a third country”, 


(b) omit“, territories, sectors”, and 
(c) for “specified in” substitute “approved by”. 


—= 
(ee) 
we 


—=> 
\O 
~ 


In subsection (7) — 

(a) for “regulations under section 74A which specify that an adequate 
level of protection of personal data is ensured only for a transfer” 
substitute “regulations under section 74AA which approve only 
certain transfers to a third country or international organisation that 
are’, 

(b) after “the regulations” insert “(in accordance with section 
7AAA(4)(b))”, and 


(c) omit paragraph (a). 
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Transfers subject to appropriate safeguards 


6 
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Section 75 (transfers on the basis of appropriate safeguards) is amended as 
follows. 


In the heading, for “on the basis of” substitute “subject to”. 
Omit subsection (1). 
After that subsection insert — 


“(1A) A transfer of personal data to a third country or an international 
organisation is made subject to appropriate safeguards only if — 

(a) the controller, acting reasonably and _ proportionately, 
considers that the data protection test is met in relation to the 
transfer or that type of transfer (see subsection (5)), or 

(b) anappropriate legal instrument binds the intended recipient 
of the data (see subsection (4)).” 


In subsection (2), for “subsection (1)(b)” substitute “this section”. 
In subsection (3), for “subsection (1)” substitute “this section”. 
At the end insert — 


“(4) For the purposes of this section, a legal instrument is “appropriate”, 
in relation to a transfer of personal data, if — 

(a) the instrument is intended to be relied on in connection with 
the transfer or that type of transfer, 

(b) at least one competent authority is a party to the instrument, 
and 

(c) each competent authority that is a party to the instrument, 
acting reasonably and proportionately, considers that the 
data protection test is met in relation to the transfers, or types 
of transfer, intended to be made in reliance on the instrument 
(see subsection (5)). 


(5) For the purposes of this section, the data protection test is met in 
relation to a transfer, or a type of transfer, of personal data if, after the 
transfer, the standard of the protection provided for the data subject 
with regard to that personal data, whether by a binding legal 
instrument or by other means, would not be materially lower than 
the standard of the protection provided for the data subject with 
regard to the personal data by or under— 

(a) this Part, and 
(b) Parts 5 to 7, so far as they relate to processing by a competent 
authority for any of the law enforcement purposes. 


(6) For the purposes of subsections (1A)(a) and (4)(c), what is reasonable 
and proportionate is to be determined by reference to all the 
circumstances, or likely circumstances, of the transfer or type of 
transfer, including the nature and volume of the personal data 
transferred. 


(7) In this section, references to the protection provided for the data 
subject are to that protection taken as a whole.” 
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Transfers based on special circumstances 


7 (1) Section 76 (transfers on the basis of special circumstances) is amended as 
follows. 


(2) In the heading, for “on the basis of” substitute “based on”. 
(3) Before subsection (1) insert — 


‘“(A1) A transfer of personal data to a third country or international 
organisation is based on special circumstances where — 


(a) it is made in the absence of approval by regulations under 
section 74AA and of compliance with section 75 (appropriate 
safeguards), and 


(b) itis necessary for a special purpose.” 


(4) In subsection (1) — 
(a) for the words before paragraph (a) substitute “A transfer of personal 
data is necessary for a special purpose if it is necessary —”, 
(b) in paragraph (c) — 
(i) after “public security” insert “or national security”, and 
(ii) at the end insert “or the United Kingdom”, 
(c) in paragraph (d), for “in individual cases” substitute “in particular 
circumstances,”, and 
(d) in paragraph (e), for “in individual cases” substitute “in particular 
circumstances,”. 


(5) In subsection (2), for “But subsection (1)(d) and (e) do not apply” substitute 
“But a transfer of personal data is not necessary for a special purpose by 
virtue of subsection (1)(d) or (e)”. 


(6) After subsection (2) insert — 


“(2A) Inaccordance with the third data protection principle, the amount of 
personal data transferred in reliance on this section must not be 
excessive in relation to the special purpose relied on.” 


(7) In subsection (3), for “subsection (1)” substitute “this section”. 
Subsequent transfers 


8 (1) Section 78 (subsequent transfers) is amended as follows. 


(2) In subsection (1) — 
(a) after “transfer” insert “— 
(a) ”,and 
(b) at the end insert “(the “UK authoriser”), or 
(b) (subject to subsection (4)) that— 


(i) the data is not to be so transferred without 
such authorisation except where subsection 
(1A) applies, and 

(ii) Where a transfer is made without such 
authorisation, the UK authoriser must be 
informed without delay.” 
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(3) After subsection (1) insert — 


‘“(1A) This subsection applies if — 


(a) the transfer is necessary for the prevention of an immediate 
and serious threat to the public security or national security 
of a third country or the United Kingdom, and 


(b) authorisation from the UK authoriser cannot be obtained in 
good time.” 


(4) In subsection (2), for “A competent authority” substitute “The UK 
authoriser”. 


(5) In subsection (3), for “competent authority” substitute “UK authoriser”. 
(6) For subsection (4) substitute — 


“(4) Ina relevant restricted transfer case — 
(a) the transferring controller must make the transfer subject to 
the condition described in subsection (1)(a), and 
(b) the UK authoriser may not authorise a further transfer of 
personal data under subsection (1)(a) unless the overseas 
authoriser has authorised the further transfer or subsection 
(5) applies.” 
(7) In subsection (5) — 
(a) for the words before paragraph (a) substitute “This subsection 
applies if—”, 
(b) in paragraph (a), for the words from “either” to “State” substitute “to 


the public security, national security or essential interests of a third 
country or the United Kingdom”, and 


(c) in paragraph (b), for “the authorisation” substitute “authorisation 
from the overseas authoriser”. 


(8) In subsection (6) — 

(a) for “without the authorisation” substitute “in a relevant restricted 
transfer case without the authorisation from the overseas 
authoriser”, and 

(b) for the words from “(4)” to “the transfer” substitute “(4)(b), the 
overseas authoriser”. 


SCHEDULE 7 Section 21 


TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES ETC: CONSEQUENTIAL AND 


TRANSITIONAL PROVISION 
PART 1 


CONSEQUENTIAL PROVISION 


The UK GDPR 


A. 


The UK GDPR is amended as follows. 
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2 In Article 13(1)(f) (information to be provided where personal data is 
collected from the data subject), for “adequacy regulations under section 
17A of the 2018 Act” substitute “regulations under Article 45A”. 

3 In Article 14(1)(f) (information to be provided where personal data is not 
obtained from the data subject), for “adequacy regulations under section 
17A of the 2018 Act” substitute “regulations under Article 45A”. 

4 In Article 15(2) (right of access by the data subject) — 

(a) after “organisation” insert “in reliance on Article 46”, and 

(b) for “appropriate safeguards pursuant to Article 46 relating to” 
substitute “safeguards provided in accordance with Article 
46(1A)(a)(i) or (b)(i) for the purposes of” 

5 (1) Article 40 (codes of conduct) is amended as follows. 

(2) In paragraph 3, omit “appropriate” (in both places). 

(3) In paragraph 5— 
(a) for “provides” substitute “is capable of providing”, and 
(b) at the end insert “for the purposes of Article 46”. 

6 In Article 42(2) (certification), omit “appropriate”. 

7 In Article 57(1)(r) (Commissioner’s tasks), at the end insert “and provide 
authorisation required under regulations made under Article 47A”. 

8 In Article 58(3) (authorisation and advisory powers of the Commissioner), 
after point (i) insert — 

“(ia) to provide authorisation required under regulations made under 
Article 47A;”. 

9 In Article 83(5)(c) (general conditions for imposing administrative fines), for 

“44” substitute “44A”. 
The 2018 Act 

10 The 2018 Act is amended as follows. 

11 Omit section 17A (transfers based on adequacy decisions) and the italic 
heading before it. 

12 Omit section 17B (transfers based on adequacy regulations: review etc). 

13 Omit section 17C (standard data protection clauses). 

14 Omit section 18 (transfers of personal data to third countries etc: public 
interest). 

15 In section 24(2) (manual unstructured data held by FOI public authorities) — 

(a) in paragraph (c), for “44 to 49” substitute “44A to 49A”, and 
(b) omit paragraph (ca). 

16 In section 26(2) (national security and defence exemption), omit paragraph 
(fa). 

17 In section 119A(1) (power of Information Commissioner to specify standard 


clauses for transfers to third countries etc providing appropriate 
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safeguards), omit from “provide” to the end and insert “are capable of 
securing that the data protection test set out in Article 46 of the UK GDPR is 
met in relation to transfers of personal data generally or in relation to types 
of transfer described in the document”. 


In section 149(2)(e) (enforcement notices), for “44 to 49” substitute “44A to 
49A”. 


(1) Section 182 (regulations and consultation) is amended as follows. 
(2) Omit subsection (4). 


(3) In subsection (6), for “Where regulations under this Act” substitute “For the 
purposes of this Act, where regulations”. 


(4) In subsection (7), for “Where regulations under this Act” substitute “For the 
purposes of this Act, where regulations”. 


(5) In subsection (8) — 
(a) for “Where regulations under this Act” substitute “For the purposes 
of this Act, regulations”, 
(b) after “procedure” insert “if”, 
(c) in paragraph (a), for “the urgency” substitute “an urgency”, and 
(d) in paragraph (b), for “the period of 120 days” substitute “a period”. 


(6) Omit subsections (9) and (10). 


(7) In subsection (11), after “by regulations” insert “made under this Act or 
another enactment that are” 


(8) For subsection (14) substitute — 


“(14) For the purposes of this section, an urgency statement is a reasoned 
statement that the Secretary of State considers it desirable for 
regulations to come into force without delay.” 


In paragraph 26(9)(d) of Schedule 2 (exemptions etc for journalistic, 
academic, artistic and literary purposes), for “44” substitute “44A”. 


(1) Part 3 of Schedule 21 (further transitional provision etc: transfers to third 
countries and international organisations) is amended as follows. 


(2) In the heading before paragraph 4, for “adequacy decisions and adequacy 
regulations” substitute “transfers approved by regulations”. 


(3) In paragraph 4 (UK GDPR: adequacy decisions and adequacy regulations) — 
(a) insub-paragraph (1), for “based on adequacy regulations” substitute 
“to be treated as approved by regulations made under Article 45A of 
the UK GDPR”, 
(b) in sub-paragraph (4)(a), for “lists or other” substitute “schemes, lists 
or other arrangements or”, and 
(c) omit sub-paragraph (6). 
(4) In paragraph 6 (UK GDPR: application of certain provisions referring to 
regulations made under Article 45A of the UK GDPR) — 


(a) in sub-paragraph (1)(a), for “section 17A” substitute “Article 45A of 
the UK GDPR”, 
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(b) for sub-paragraph (2) substitute — 


“(2) Those provisions are Articles 13(1)(f), 14(1)(f), 45C, 49(1) 
and 49A(1) of the UK GDPR.”, and 
c) after that sub-paragraph insert — 
paragrap 


“(3) In its application to transfers treated as approved by virtue 
of paragraph 1, Article 45C(5) of the UK GDPR (transfers 
approved by regulations: monitoring) has effect as if the 
reference to Article 45A(4)(b) were omitted.” 


(5) In paragraph 7 (UK GDPR: transfers subject to appropriate safeguards 
provided by standard data protection clauses) — 

(a) in sub-paragraph (1), for “the appropriate safeguards referred to in 
Article 46(1) of the UK GDPR may be provided for” substitute “the 
requirement for safeguards to be provided under Article 46(1A)(a)(i) 
of the UK GDPR may be satisfied”, 

(b) in sub-paragraph (3)(a) — 

(i) for “or provision” substitute “, of provision”, and 

(ii) for “(or both)” substitute “or of the amendment of Chapter 5 
of the UK GDPR by the Data Protection and Digital 
Information Act 2022”, and 

(c) insub-paragraph (4), after paragraph (a) insert — 

“(aa) changing references to provision made by 
regulations under section 17A into references to 
provision made by regulations made under Article 
45A of the UK GDPR;”. 


(6) In paragraph 9 (UK GDPR: transfers subject to appropriate safeguards 
provided by binding corporate rules) — 

(a) in sub-paragraph (1), for “The appropriate safeguards referred to in 
Article 46(1) of the UK GDPR may be provided for” substitute “The 
requirement for safeguards to be provided under Article 46(1A)(a)(i) 
of the UK GDPR may be satisfied”, 

(b) in sub-paragraph (3)(a) — 

(i) for “or provision” substitute “, of provision”, and 

(ii) for “(or both)” substitute “or of the amendment of Chapter 5 
of the UK GDPR by the Data Protection and Digital 
Information Act 2022”, and 

(c) insub-paragraph (4), after paragraph (a) insert — 

“(aa) changing references to provision made _ by 
regulations under section 17A into references to 
provision made by regulations made under Article 
45A of the UK GDPR;”. 


(7) In the heading before paragraph 10, for “adequacy decisions and adequacy 
regulations” substitute “transfers approved by regulations”, 


(8) In paragraph 10 (law enforcement processing: adequacy decisions and 
adequacy regulations) — 
(a) insub-paragraph (1), for “based on adequacy regulations” substitute 
“to be treated as approved by regulations made under section 
7AAA”, 
(b) in sub-paragraph (4)(a), for “lists or other” substitute “schemes, lists 
or other arrangements or”, and 
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(c) omit sub-paragraph (6). 
(9) In paragraph 12 (Part 3 (law enforcement processing): application of certain 
provisions referring to regulations made under section 74A) — 
(a) the existing text becomes sub-paragraph (1), 
(b) in that sub-paragraph — 
(i) for the words before paragraph (a) substitute “In sections 74B 
and 76(A1)—”, and 
(ii) in paragraph (a), for “74A” substitute “74AA”, and 
(c) after that sub-paragraph insert — 


“(2) In its application to transfers treated as approved by virtue 
of paragraph 10, section 74B(7) (transfers approved by 
regulations: monitoring) has effect as if the reference to 
section 74A A(4)(b) were omitted.” 


PART 2 
TRANSITIONAL PROVISION 
The UK GDPR: transfers approved by regulations 


22 (1) Regulations made under section 17A of the 2018 Act (transfers based on 
adequacy regulations) and in force immediately before the relevant day are 
to be treated, on and after that day, as if made under Article 45A of the UK 
GDPR (inserted by Schedule 5 to this Act). 


(2) In this paragraph, “the relevant day” means the day on which paragraph 4 
of Schedule 5 to this Act comes into force. 


The UK GDPR: transfers subject to appropriate safeguards provided by standard data 
protection clauses 


23 (1) Regulations made under section 17C of the 2018 Act (standard data 
protection clauses) and in force immediately before the relevant day are to 
be treated, on and after that day, as if made under Article 47A(1) of the UK 
GDPR (inserted by Schedule 5 to this Act). 


(2) In this paragraph, “the relevant day” means the day on which paragraph 8 
of Schedule 5 to this Act comes into force. 


24 (1) The requirement for safeguards to be provided under Article 46(1A)(a)(i) of 
the UK GDPR may be satisfied on and after the relevant day by a version of 
pre-commencement standard clauses incorporating changes where — 

(a) all of the changes are made in consequence of the amendment of 
Chapter 5 of the UK GDPR by this Act, and 


(b) none of the changes alters the effect of the clauses. 


(2) Changing a reference to regulations under section 17A of the 2018 Act into a 
reference to regulations made under Article 45A of the UK GDPR is to be 
treated as a change falling within sub-paragraph (1). 


(3) Sub-paragraphs (1) and (2) cease to apply in relation to pre-commencement 
standard clauses if — 
(a) where they are specified in regulations, the regulations are amended 
or revoked on or after the relevant day, or 
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(b) where they are specified in another document, the document is 
amended or withdrawn by the Information Commissioner on or 
after the relevant day. 


(4) Sub-paragraph (1) has effect in addition to Article 46(2) and (3) of the UK 
GDPR. 


(5) In this paragraph — 
“pre-commencement standard clauses” means standard data 
protection clauses specified in — 
(a) regulations made under section 17C of the 2018 Act and in 
force immediately before the relevant day, or 
(b) adocument issued by the Information Commissioner under 
section 119A of the 2018 Act before the relevant day and not 
withdrawn before that day; 
“the relevant day” means the day on which paragraph 6 of Schedule 5 
to this Act comes into force. 


The UK GDPR: transfers necessary for important reasons of public interest 


25 (1) Regulations made under section 18(1) of the 2018 Act (transfers necessary for 
important reasons of public interest) and in force immediately before the 
relevant day are to be treated, on and after that day, as if made under Article 
49(4A) of the UK GDPR (inserted by Schedule 5 to this Act). 


(2) Inthis paragraph, “the relevant day” means the day on which paragraph 9(5) 
of Schedule 5 to this Act comes into force. 


The UK GDPR: restrictions on transfers of personal data to third countries and international 
organisations 


26 (1) Regulations made under section 18(2) of the 2018 Act (restrictions on 
transfers of personal data to third countries and international organisations) 
and in force immediately before the relevant day are to be treated, on and 
after that day, as if made under Article 49A of the UK GDPR (inserted by 
Schedule 5 to this Act). 


(2) In this paragraph, “the relevant day” means the day on which paragraph 10 
of Schedule 5 to this Act comes into force. 


Part 3 of the 2018 Act (law enforcement processing): transfers approved by regulations 


27 (1) Regulations made under section 74A of the 2018 Act (transfers based on 
adequacy regulations) and in force immediately before the relevant day are 
to be treated, on and after that day, as if made under section 74AA of that 
Act (inserted by Schedule 6 to this Act). 


(2) In this paragraph, “the relevant day” means the day on which paragraph 4 
of Schedule 6 to this Act comes into force. 
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SCHEDULE 8 Section 41 


COMPLAINTS: MINOR AND CONSEQUENTIAL AMENDMENTS 


The UK GDPR 


The UK GDPR is amended as follows. 


In Article 12(4) (transparent information, communication and modalities for 
the exercise of the rights of the data subject), for “lodging a complaint with 
the Commissioner” substitute “making a complaint to the controller under 
section 164A of the 2018 Act, making a complaint to the Commissioner 
under section 165 of that Act”. 


(1 


” 


Article 13(2) (information to be provided where personal data are collected 
from the data subject) is amended as follows. 


(2) After point (c) insert — 
“(ca) the right to make a complaint to the controller under section 164A 
of the 2018 Act;”. 
(3) In point (d), for “lodge a complaint with the Commissioner” substitute 
“make a complaint to the Commissioner under section 165”. 


(1) Article 14(2) (information to be provided where personal data have not been 
obtained from the data subject) is amended as follows. 


(2) After point (d) insert — 


“(da) the right to make a complaint to the controller (see section 164A of 
the 2018 Act);”. 


(3) In point (e), for “lodge a complaint with the Commissioner” substitute 
“make a complaint to the Commissioner under section 165”. 


(1) Article 15(1) (right of access by the data subject) is amended as follows. 
(2) After point (e) insert — 


“(ea) the right to make a complaint to the controller under section 164A 
of the 2018 Act;”. 


(3) In point (f), for “lodge a complaint with the Commissioner” substitute “make 
a complaint to the Commissioner under section 165”. 


In Article 47 (binding corporate rules), in paragraph 2(e), for “lodge a 
complaint with the Commissioner and” substitute “make a complaint to the 
controller under section 164A of the 2018 Act, the right to make a complaint 
to the Commissioner under section 165 of the 2018 Act, the right to lodge a 
complaint”. 


In Article 57 (tasks of the Commissioner) — 
(a) in paragraph 1, omit point (f), and 
(b) omit paragraph 2. 


Omit Article 77 (right to lodge a complaint with the Commissioner). 
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9 (1) Article 80 (representation of data subjects) is amended as follows. 


(2) In paragraph 1— 
(a) for “lodge the complaint” substitute “make a complaint under 
section 164A or 165 of the 2018 Act”, and 
(b) omit “77,”. 
(3) In paragraph 2, for “lodge a complaint with the Commissioner” substitute 
“make a complaint under section 164A or 165 of the 2018 Act”. 


The 2018 Act 


10 The 2018 Act is amended as follow. 
11. (1) Section 44 (information: controller’s general duties) is amended as follows. 


(2) In subsection (1) — 
(a) after paragraph (d) insert — 
“(da) the existence of the right to make a complaint to the 
controller (see section 164A);”, and 
(b) in paragraph (e), after “Commissioner”, in the first place it occurs, 
insert “(see section 165)”. 


(3) In subsection (5) — 
(a) after paragraph (c) insert — 
“(ca) of the data subject’s right to make a complaint to the 
controller under section 164A,”, and 
(b) in paragraph (d), after “Commissioner” insert “under section 165”. 


12 (1) Section 45 (right of access by the data subject) is amended as follows. 


(2) In subsection (2) — 
(a) after paragraph (e) insert — 
“(ea) the existence of the data subject’s right to make a 
complaint to the controller (see section 164A);”, and 
(b) in paragraph (f), after “the Commissioner”, in the first place it occurs, 
insert “(see section 165)”. 


(3) In subsection (5) — 
(a) after paragraph (c) insert — 
“(ca) of the data subject’s right to make a complaint to the 
controller under section 164A,”, and 
(b) in paragraph (d), at the end insert “under section 165”. 


13 In section 45A (exemption from sections 44 and 45: legal professional 
privilege) (inserted by section 10 of this Act), in subsection (2), after 
paragraph (c) insert — 

“(ca) the data subject’s right to make a complaint to the controller 
under section 164A,”. 


14 (1) Section 48 (rights to rectification, to erasure or to restriction of processing: 
supplementary) is amended as follows. 


(2) In subsection (1)(b) — 
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15 


16 


17 


18 


19 


20 


21 


22 


23 


(a) after sub-paragraph (ii) insert — 
“(iia) of the data subject’s right to make a complaint 
to the controller under section 164A,”, and 


b) in sub-paragraph (iii), after “Commissioner” insert “under section 
eee paragrap 


(3) In subsection (4) — 
(a) after paragraph (b) insert — 
“(ba) of the data subject’s right to make a complaint to the 
controller under section 164A,”, and 


(b) in paragraph (c), after “Commissioner” insert “under section 165”. 


In section 93(1)(e) (right to information), after “Commissioner”, in the first 
place it occurs, insert “under section 165”. 


In section 94(2)(f) (right of access), after “Commissioner”, in the first place it 
occurs, insert “under section 165”. 


In section 135 (manifestly unfounded or excessive requests by data subjects), 
after subsection (5) (inserted by section 32 of this Act), insert — 


“(6) In this section, “request” does not include a complaint under section 
165.” 


(1) Section 149 (enforcement notices) is amended as follows. 
(2) In subsection (1), for “or (5)” substitute “, (5) or (6A)”. 
(3) After subsection (5) insert — 


“(SA) The fifth type of failure is where a controller has failed, or is failing, 
to comply with section 164A or with regulations under section 164B.” 


(4) In subsection (6), for “or (5)” substitute “, (5) or (6A)”. 


In section 155 (penalty notices), in subsection (1)(a), for “or (5)” substitute “, 
(5) or (5A)”. 


In section 157 (maximum amount of penalty), after subsection (4) insert — 


“(4A) In relation to an infringement of section 164A or of regulations under 
section 164B, the maximum amount of the penalty that may be 
imposed by a penalty notice is the standard maximum amount.” 


In section 165 (complaints by data subjects), in the heading, at the end insert 
“to the Commissioner”. 


a 
2 
3 
1 


Section 166 (orders to progress complaints) is amended as follows. 
In the heading, at the end insert “to the Commissioner”. 


In subsection (1), omit “or Article 77 of the UK GDPR”. 


Fn on on aN 
a ee ee ee 


Section 187 (representation of data subjects with their authority) is amended 
as follows. 


(2) In subsection (1)(a) — 
(a) for “Articles 77,” substitute “sections 164A and 165 (complaints) and 
Articles”, and 
(b) omit “to lodge complaints and”. 
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(3) In subsection (2), before paragraph (a) insert — 
“(za) the right under section 164A (complaints to the controller);”. 


24 (1) Section 204A (vexatious or excessive) (inserted by section 7 of this Act) is 
amended as follows. 


(2) After subsection (1) insert — 


“(1A) For the purposes of this Act, whether a complaint to the 
Commissioner is vexatious or excessive must be determined having 
regard to the circumstances of the complaint, including (so far as 
relevant) — 

(a) the nature of the complaint, 

(b) the complainant’s relationship with the person who is the 
subject of the complaint (“the subject”) and_ the 
Commissioner, 

(c) the resources available to the Commissioner, 

(d) the extent to which the complaint repeats a previous 
complaint made by the complainant to the subject or the 
Commissioner, 

(e) how long ago any previous complaint was made, and 

(f) whether the complaint overlaps with other complaints made 
by the complainant to the subject or the Commissioner.” 


(3) In subsection (2), after “requests”, in both places it occurs, insert “and 


complaints”. 
SCHEDULE 9 Section 45 
DATA PROTECTION: MINOR AMENDMENTS 
The UK GDPR 
1 The UK GDPR is amended as follows. 


2 (1) Article 4(1) (interpretation) is amended as follows. 
(2) After point (A3) insert — 


“(A4) “the data protection legislation” has the same meaning as in the 2018 
Act (see section 3(9) of that Act);”. 


(3) After point (28) insert — 


“(29) “enactment” has the same meaning as in the 2018 Act (see section 205 


of that Act); 
“(30) “tribunal” means any tribunal in which legal proceedings may be 
brought.” 

3 In Article 9 (processing of special categories of personal data) — 


(a) in paragraph 2, after “apply if” insert “the processing is based on 
Article 6(1) and”, 
(b) in paragraph 2(f), after “courts” insert “or tribunals”, and 
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(c) in paragraph 3, for the words from the beginning to “data are” 
substitute “Paragraph 1 is only disapplied by point (h) of paragraph 
2 if the personal data is”. 


4 In Article 12(5) (information etc to be provided free of charge), at the 
beginning insert “Subject to Article 15(3),”. 

) In Article 23(1)(h) (restrictions), for “(a)” substitute “(c)”. 

6 In Article 24(3) (responsibility of the controller), for “an element by which to 
demonstrate” substitute “a means of demonstrating”. 

7 In Article 25(3) (data protection by design and by default), for “an element 
by which to demonstrate” substitute “a means of demonstrating”. 

8 In Article 28(5) (processors), for “an element by which to demonstrate” 
substitute “a means of demonstrating”. 

2 In Article 32(3) (security of processing), for “an element by which to 
demonstrate” substitute “a means of demonstrating”. 

10 In Article 37(1)(a), after “courts” insert “and tribunals”. 

11 Omit Article 59 (activity reports). 

The 2018 Act 

12 The 2018 Act is amended as follows. 

13 Omit section 20 (meaning of “court” in Part 2). 

14 In section 119A(11) (standard clauses for transfers to third countries etc), 
after “any” insert “whole days that fall within a”. 

15 In section 124(5) (data protection and journalism code), in the definition of 
“good practice in the processing of personal data for the purposes of 
journalism” — 

(a) in paragraph (a), omit “, including compliance with the requirements 
of the data protection legislation”, and 
(b) after paragraph (b) insert — 
“and includes compliance with the requirements of the data 
protection legislation;”. 

16 In section 125(8) (approval of codes prepared by the Commissioner), after 
“any” insert “whole days that fall within a”. 

17 In section 139 (reporting to Parliament), omit subsection (2). 

18 In section 161(6) (approval of first guidance about regulatory action), after 
“any” insert “whole days that fall within a”. 

19 In section 184(4) (prohibition of requirement to produce relevant records), 
after “prevention” insert “, investigation”. 

20 In section 192(6) (approval of the Framework), after “any” insert “whole 
days that fall within a”. 

21 (1) Schedule 1 (special categories of personal data and criminal convictions etc 


data) is amended as follows. 


(2) In the heading before paragraph 10, for “or detecting” substitute “etc”. 
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(3) In paragraph 10(1)(a) (preventing etc unlawful acts), after “prevention” 
insert “, investigation”. 


(4) In paragraph 13(1)(a) (journalism etc in connection with unlawful acts and 
dishonesty etc), after “consists of” insert “, or is carried out in preparation 
for,”. 


(5) In paragraph 14(1)(b) (preventing fraud), after sub-paragraph (ii) (but before 
the “or” at the end of that sub-paragraph) insert — 


“(iia) the processing of personal data carried out in 
preparation for disclosure described in sub- 


paragraph (i) or (ii),”. 
6) In paragraph 24(1)(a) (disclosure to elected representatives), after “consists 
paragrap P 
of” insert “, or is carried out in preparation for,”. 


22 (1) Schedule 2 (exemptions etc from the UK GDPR) is amended as follows. 
(2) In paragraph 2(1)(a) (crime), after “prevention” insert “, investigation”. 


(3) In paragraph 3(2)(b)(ii) (crime: risk assessment systems), after “prevention” 
insert “, investigation”. 


29 In paragraph 8(1)(b) of Schedule 8 (conditions for sensitive processing under 
Part 3: preventing fraud), after sub-paragraph (ii) (but before the “or” at the 
end of that sub-paragraph) insert — 

“(iia) the processing of personal data carried out in 
preparation for disclosure described in sub- 


paragraph (i) or (ii),”. 
24. In paragraph 2(a) of Schedule 11 (other exemptions under Part 4: crime), 
after “prevention” insert “, investigation”. 


SCHEDULE 10 Section 86 
PRIVACY AND ELECTRONIC COMMUNICATIONS: COMMISSIONER’S ENFORCEMENT POWERS 
“SCHEDULE 1 Regulation 31 
INFORMATION COMMISSIONER’S ENFORCEMENT POWERS 
Provisions applied for enforcement purposes 


1 For the purposes of enforcing these Regulations, the following 

provisions of Parts 5 to 7 of the Data Protection Act 2018 apply 
with the modifications set out in paragraphs 2 to 29— 

section 140 (publication by the Commissioner); 

section 141 (notices from the Commissioner); 

section 142 (information notices); 

section 143 (information notices: restrictions); 

section 144 (false statements made in response to an 

information notice); 


section 145 (information orders); 
section 146 (assessment notices); 
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section 146A (assessment notices: approval of person to 
prepare report); 
section 147 (assessment notices: restrictions); 


section 148 (destroying or falsifying information and 
documents etc); 


section 148A (interview notices); 

section 148B (interview notices: restrictions); 

section 148C (false statements made in response to interview 
notices); 

section 149 (enforcement notices); 

section 150 (enforcement notices: supplementary); 

section 152 (enforcement notices: restrictions); 

section 153 (enforcement notices: cancellation and variation); 

section 154 and Schedule 15 (powers of entry and inspection); 

section 155 and Schedule 16 (penalty notices); 

section 156 (penalty notices: restrictions); 

section 157 (maximum amount of penalty); 

section 159 (amount of penalties: supplementary); 

section 160 (guidance about regulatory action); 

section 161 (approval of first guidance about regulatory 
action); 

section 162 (rights of appeal); 

section 163 (determination of appeals); 

section 164 (applications in respect of urgent notices); 

section 180 (jurisdiction); 

section 181 (interpretation of Part 6); 

section 182 (regulations and consultation); 

section 196 (penalties for offences); 

section 197(1) and (2) (prosecution); 

section 198 (liability of directors etc); 

section 200 (guidance about PACE codes of practice); 

section 202 (proceedings in the First-tier Tribunal: contempt); 

section 203 (Tribunal Procedure Rules). 


a a ee 


General modification of references to the Data Protection Act 2018 


2 The provisions listed in paragraph 1 have effect as if — 

(a) references to the Data Protection Act 2018 or to a Part of 
that Act were references to the provisions of that Act or 
that Part as applied by these Regulations; 

(b) references to a particular provision of that Act were 
references to that provision as applied by these 
Regulations. 

Modification of section 142 (information notices) 
) Section 142 has effect as if — 
(a) in subsection (1), for paragraphs (a) and (b) there were 
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(b) 
(c) 


(d) 


substituted — 


“(a) require any person to provide the 
Commissioner with information — or 
documents that the Commissioner reasonably 
requires for the purposes of determining 
whether that person has complied or is 
complying with the requirements of the PEC 
Regulations, 

(b) require a communications provider to 
provide the Commissioner with information 
or documents relating to another person’s use 
of an electronic communications network or 
electronic communications service for the 
purposes of determining whether that other 
person has complied or is complying with the 
requirements of the PEC Regulations, or 

(c) require any person to provide the 
Commissioner with information — or 
documents that the Commissioner reasonably 
requires for the purposes of investigating a 
suspected failure by another person to comply 
with the requirements of the PEC 
Regulations.”; 


in subsection (2)(a), for “(b)(i) or (b)(ii)” there were 
substituted “(b) or (c)”; 

after subsection (8) there were inserted — 

“(8A) 


(8B) 


(8C) 


Subsections (8B) and (8C) apply if an information 
notice given to a person under subsection (1)(b) or (c) 
contains — 

(a) a statement that a duty of confidentiality 
applies in relation to the notice, and 

(b) anexplanation of the effects of subsection (8B) 
and (8C). 

The person to whom the information notice is given, 
and any person employed or engaged for the purpose 
of that person’s business, must not disclose the 
existence of the notice without reasonable excuse. 
Subsection (8B) does not prevent — 

(a) adisclosure to a person employed or engaged 
for the purpose of the business of the person 
to whom the notice is given, 

(b) a disclosure made with the permission of the 
Commissioner (whether the permission is 
contained in the information notice or 
otherwise), or 

(c) a disclosure made for the purpose of 
obtaining legal advice.” 


subsections (9) and (10) were omitted. 


Modification of section 143 (information notices: restrictions) 


4 


(1) Section 143 has effect as if subsection (1) and (9) were omitted. 
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(2) In that section— 

(a) subsections (3)(b) and (4)(b) have effect as if for “the data 
protection legislation” there were substituted “the PEC 
Regulations”, 

(b) subsection (7)(a) has effect as if for “this Act” there were 
substituted “section 144, 148 or 148C or paragraph 15 of 
Schedule 15”; 


(c) subsection (8) has effect as if for “this Act (other than an 
offence under section 144)” there were substituted “section 
148 or 148C or paragraph 15 of Schedule 15”. 


Modification of section 145 (information orders) 


é) Section 145(2)(b) has effect as if for “section 142(2)(b)” there were 
substituted “section 142(2)”. 


Modification of section 146 (assessment notices) 


6 Section 146 has effect as if — 
(a) in subsection (1) — 

(i) for “a controller or processor” there were 
substituted “a person within subsection (1A)”, 

(ii) for “the controller or processor” there were 
substituted “the person”, and 

(iii) for “the data protection legislation” there were 
substituted “the requirements of the PEC 
Regulations”, 

(b) after subsection (1) there were inserted — 
“(1A) A person is within this subsection if the person — 
(a) isa communications provider, or 
(b) is engaged in any activity regulated by the 
PEC Regulations.” 
(c) in subsection (2)— 

(i) for “controller or processor” there were substituted 
“person to whom it is given”, 

(ii) in paragraph (h), for “the processing of personal 
data” there were substituted “any activity 
regulated by the PEC Regulations”, and 

(iii) in paragraph (i), for “process personal data on 
behalf of the controller” there were substituted “are 
involved in any such activity on behalf of the 
person to whom the notice is given”, 

(d) insubsection (3A), for “controller or processor” there were 
substituted “person”, 

(e) in subsection (7), for “controller or processor” there were 
substituted “person to whom the notice is given”, 

(f) in subsection (8)— 

(i) in paragraph (a), for “controller or processor” there 
were substituted “person to whom the notice is 
given”, and 

(ii) in the words after paragraph (c), for “controller or 
processor” there were substituted “person”, 
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(g) in subsection (9)— 

(i) in paragraph (a), from the words from “a 
controller” to “this Act” there were substituted “the 
person to whom the notice is given has failed or is 
failing to comply with the requirements of the PEC 
Regulations or that an offence under section 144, 
148 or 148C or paragraph 15 of Schedule 15”, and 


(ii) in paragraph (d), for “controller or processor” there 
were substituted “person”, 


(h) in subsection (10), for “controller or processor” there were 
substituted “person”, 
(i) subsection (11) were omitted, and 
(j) in subsection (11A)— 

(i) for “controller or processor”, in the first place it 
occurs, there were substituted “person to whom it 
is given”, and 

(ii) for “controller or processor”, in the second place it 
occurs, there were substituted “the person”. 


Modification of section 146A (assessment notices: approval of person to prepare report) 


7 Section 146A has effect as if — 
(a) insubsection (1), for “a controller or processor” there were 
substituted “a person (“P”)”; 


(b) in subsection (2), for “The controller or processor” there 
were substituted “P”; 

(c) in subsections (3) to (6), for “the controller or processor” 
there were substituted “P”. 


Modification of section 147 (assessment notices: restrictions) 


8 (1) Section 147 has effect as if subsections (5) and (6)(b) were omitted. 


(2) In that section, subsections (2)(b) and (3)(b) have effect as if for 
“the data protection legislation” there were substituted “the PEC 
Regulations”. 


Modification of section 148A (interview notices) 


9 (1) Section 148A has effect as if subsection (10) were omitted. 


(2) In that section— 
(a) subsection (1) has effect as if — 
(i) for “a controller or processor” there were 
substituted “a person”, 
(ii) in paragraph (a), for “as described in section 
149(2)” there were substituted “to comply with a 
requirement of the PEC Regulations”; 
(iii) in paragraph (b), for “this Act” there were 
substituted “section 144, 148 or 148C or paragraph 
15 of Schedule 15”; 


(b) subsection (3) has effect as if — 
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(i) in paragraph (a), for “the controller or processor” 
there were substituted “the person mentioned in 
subsection (1)”; 


(ii) in paragraph (b), for “the controller or processor” 
there were substituted “that person”; 


(iii) in paragraph (c), for “the controller or processor” 
there were substituted “that person”. 


Modification of section 148B (interview notices: restrictions) 


10 (1) Section 148B has effect as if subsections (8) and (9) were omitted. 


(2) In that section— 


(a) subsections (2)(b) and (3)(b) have effect as if for “the data 
protection legislation” there were substituted “the PEC 
Regulations”, 


(b) subsection (6)(a) has effect as if for “this Act” there were 
substituted “section 144, 148 or 148C or paragraph 15 of 
Schedule 15”; 

(c) subsection (7) has effect as if for “this Act (other than an 
offence under section 148C)” there were substituted 
“section 144 or 148 or paragraph 15 of Schedule 15”. 


Modification of section 149 (enforcement notices) 


11 (1) Section 149 has effect as if subsections (2) to (5A) and (7) to (9) were 
omitted. 
(2) In that section— 
(a) subsection (1) has effect as if — 
(i) for “as described in subsections (2), (3), (4), (5) or 
(5A)” there were substituted “to comply with a 
requirement of the PEC Regulations”; 
(ii) for “sections 150 and 151” there were substituted 
“section 150”; 


(b) subsection (6) has effect as if the words “given in reliance 
on subsection (2), (3), (5) or (5A)” were omitted. 


Modification of section 150 (enforcement notices: supplementary) 


12 (1) Section 150 has effect as if subsection (3) were omitted. 


(2) In that section, subsection (2) has effect as if the words “in reliance 
on section 149(2)” were omitted. 


Modification of section 152 (enforcement notices: restrictions) 
13 Section 152 has effect as if subsections (1), (2) and (4) were omitted. 
Modification of Schedule 15 (powers of entry and inspection) 


14 (1) Schedule 15 has effect as if paragraph 3 were omitted. 


(2) Paragraph 1(1) of that Schedule (issue of warrants in connection 
with non-compliance and offences) has effect as if for paragraph 
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(a) (but not the final “and’’) there were substituted — 
“(a) there are reasonable grounds for suspecting that— 
(i) a person has failed or is failing to comply with a 
requirement of the PEC Regulations, or 
(ii) an offence under section 144, 148, or 148C or 
paragraph 15 of this Schedule has or is being 
committed,”. 


(3) Paragraph 2 of that Schedule (issue of warrants in connection with 
assessment notices) has effect as if — 
(a) insub-paragraphs (1) and (2), for “controller or processor” 
there were substituted “person”, 
(b) in sub-paragraph (2), for “the data protection legislation” 
there were substituted “the PEC Regulations”. 


(4) Paragraph 5 of that Schedule (content of warrants) has effect as 
if— 

(a) in sub-paragraph (1)(c), for “the processing of personal 
data” there were substituted “an activity regulated by the 
PEC Regulations”, 

(b) in sub-paragraph (2)(d), for the words from “controller or 
processor” to the end there were substituted “person 
mentioned in paragraph 1(1)(a) has failed or is failing to 
comply with a requirement of the PEC Regulations”; 

(c) in sub-paragraph (3)(a) and (d)— 

(i) for “controller or processor” there were substituted 
“person mentioned in paragraph 2(1)”; 

(ii) for “the data protection legislation” there were 
substituted “the requirements of the PEC 
Regulations”. 


(5) Paragraph 11 of that Schedule (privileged communications) has 
effect as if, in sub-paragraphs (1)(b) and (2)(b) for “the data 
protection legislation” there were substituted “the PEC 
Regulations”. 


Modification of section 155 (penalty notices) 


15 Section 155 has effect as if — 
(a) in subsection (1) — 
(i) in paragraph (a), for “as described in section 149(2), 
(3), (4), (6) or (5A)” there were substituted “to 
comply with a requirement of the PEC 
Regulations”; 
(ii) after paragraph (c), there were inserted “or 
(d) has failed to comply with the prohibition in 
section 142(8B),”; 
(b) after subsection (1) there were inserted — 
‘“(1A) But the Commissioner may not give a penalty notice 
to a person in respect of a failure to comply with 
regulation 5A or 26A of the PEC Regulations.”; 
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(c) for subsection (2) there were substituted — 

“(2) When deciding whether to give a penalty notice to a 
person and determining the amount of the penalty, 
the Commission must have regard to the matters 
listed in subsection (3), so far as relevant.”; 

(d) in subsection (3) — 
(i) for “the controller or processor” (in each place) 
there were substituted “the person”, 
(ii) in paragraph (c), for “data subjects” there were 
substituted “subscribers or users”; 
(iii) in paragraph (d), for the words “in accordance with 
section 57, 66, 103 or 107” there were substituted 
“with a view to securing compliance with the 
requirements of the PEC Regulations”; 
(iv) paragraph (g) were omitted; 
(v) in paragraph (j), the words “or certification 
mechanism” were omitted; 
(e) subsection (4) were omitted; 
(f) after subsection (4) there were inserted — 

“(4A) If a penalty notice is given to a body in respect of a 
failure to comply with any of regulations 19 to 24 of 
the PEC Regulations, the Commissioner may also 
give a penalty notice to an officer of the body if the 
Commissioner is satisfied that the failure — 

(a) took place with the consent or connivance of 
the officer, or 

(b) was attributable to any neglect on the part of 
the officer. 

(4B) Insubsection (4A) — 

“body” means a body corporate or a Scottish 
partnership; 
“officer” in relation to a body means — 
(a) in relation to a body corporate — 

(i) a director, manager, secretary 
or other similar officer of the 
body or any person purporting 
to act in such capacity, and 

(ii) where the affairs of the body 
are managed by its members, a 
member; or 

(b) in relation to a Scottish partnership, a 
partner or any person purporting to 
act as a partner.”; 

(g) subsections (6) to (8) were omitted. 


Modification of Schedule 16 (penalties) 


16 Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were 
omitted. 
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Modification of section 156 


17 (1) Section 156 has effect as if subsections (1), (2), (4)(b) and (5) were 
omitted. 


(2) In that section, subsection (3) has effect as if for the words from 
“controller” to “determined by or” there were substituted “penalty 
notice to a person who acts”. 


Modification of section 157 (maximum amount of penalty) 


18 Section 157 has effect as if — 
(a) subsection (1) were omitted; 
(b) in subsection (2)— 
(i) for “Part 3 of this Act” there were substituted “the 
PEC Regulations”; 
(ii) in paragraph (a), for the words from “section 35” to 
“or 78” there were substituted “regulation 5, 6, 7, 8, 
14, 19, 20, 21, 21A, 21B, 22, 23 or 24”; 
(c) subsections (3) and (4A) were omitted; 
(d) after subsection (4A) there were inserted — 


“(4B) In relation to an infringement of section 142(8B) of 
this Act, the maximum amount of the penalty that 
may be imposed by a penalty notice is the higher 
maximum amount.” 


Modification of section 159 (amount of penalties: supplementary) 


19 Section 159 has effect as if — 


(a) in subsection (1), the words “Article 83 of the UK GDPR 
and” were omitted; 


(b) insubsection (2), the words “Article 83 of the UK GDPR,” 
and “and section 158” were omitted. 


Modification of section 160 (guidance) 


20 Section 160 has effect as if, in subsection (4)(f), for “controllers and 
processors” there were substituted “persons”. 


Modification of section 162 (rights of appeal) 

21 Section 162 has effect as if subsection (4) were omitted. 
Modification of section 163 (determination of appeals) 

22 Section 163 has effect as if subsection (6) were omitted. 
Modification of section 180 (jurisdiction) 


23 (1) Section 180 has effect as if subsections (2)(b), (c), (d) and (e) and (3) 
were omitted. 


(2) Subsection (1) of that section has effect as if for “subsections (3) 
and (4)” there were substituted “subsection (4)”. 
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Modification of section 181 (interpretation of Part 6) 


24 Section 181 has effect as if the definitions of “certification 
provider” and “representative” were omitted. 


Modification of section 182 (regulations and consultation) 


2 Section 182 has effect as if subsections (3), (4), (6), (8) to (12) and 
(14) were omitted. 


26 Subsection (13) of that section has effect as if for “provision comes 
into force” there were substituted “coming into force of section 
86”. 


Modification of section 196 (penalties for offences) 


27 (1) Section 196 has effect as if subsections (3) to (5) were omitted. 


(2) In that section— 
(a) subsection (1) has effect as if the words “section 119 or 173 
or” were omitted; 
(b) subsection (2) has effect as if for “section 132, 144, 148, 
148C, 170, 171 or 184” there were substituted “section 144, 
148 or 148C”. 


Modification of section 200 (guidance about PACE codes of practice) 


28 Section 200 has effect as if, in subsection (1), for “this Act” there 
were substituted “section 144, 148 and 148C and paragraph 15 of 
Schedule 15.” 


Modification of section 202 (proceedings in the First-tier Tribunal: contempt) 


29 Section 202 has effect as if in subsection (1)(a), for sub-paragraphs 
(i) and (ii) there were substituted “on an appeal under section 
162”. 


Modification of section 203 (tribunal procedure rules) 


30 Section 203 has effect as if — 
(a) in subsection (1), for paragraphs (a) and (b) there were 
substituted “the exercise of the rights of appeal conferred 
by section 162”; 

(b) in subsection (2)— 
(i) in paragraph (a), for “the processing of personal 
ata” there were substituted “any activity 

regulated by the PEC Regulations; 


(ii) in paragraph (b), for “the processing of personal 
data” there were substituted “any such activity”. 


Interpretation 


31 In this Schedule, “the PEC Regulations” means these Regulations.” 
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SCHEDULE 11 Section 98 
REGISTERS OF BIRTHS AND DEATHS: MINOR AND CONSEQUENTIAL AMENDMENTS 
PART 1 
AMENDMENTS OF THE BIRTHS AND DEATHS REGISTRATION ACT 1953 


1 The Births and Deaths Registration Act 1953 is amended as follows. 


2 (1) Section 3A (registration of births of abandoned children) is amended as 
follows. 


(2) In subsection (5), for the words from “direct” to the end substitute “enter in 
the margin of the relevant register of births a reference to the re-registration 
of the birth or, if the relevant register of births is in hard copy form, shall 
direct the officer having custody of that register to do so.” 


(3) After that subsection insert — 


“(6) Insubsection (5) “the relevant register of births”, in relation to the re- 
registration of the birth of a child, means the register of births in 
which the entry relating to the child was previously made.” 


3 (1) Section 13 (registration of name of child or of alteration of name) is amended 
as follows. 


(2) In subsection (1), for “the registrar or superintendent registrar having the 
custody of the register” substitute “the relevant registration officer for the 
register”. 

(3) In subsection (1A), for “The registrar or superintendent registrar having the 


custody of the register in question” substitute “The relevant registration 
officer”. 


(4) In subsection (1B), for “the registrar or superintendent registrar” substitute 
“the relevant registration officer”. 


(5) After subsection (2) insert — 


“(2A) In this section the “relevant registration officer” for a register 
means — 
(a) the registrar of births and deaths for the sub-district for 
which the register is or has been kept, or 
(b) the superintendent registrar for the district containing that 
sub-district.” 


4 In Part 3 (general), the italic heading before section 25 becomes “Registers, 
ee 


5 (1) Section 29 (correction of errors in registers) is amended as follows. 


(2) In subsection (3), for “the officer having the custody of the register” 
substitute “the appropriate registration officer”. 


(3) In subsection (3A)(b), for “the officer having the custody of the register” 
substitute “the appropriate registration officer”. 


(4) In subsection (3B)(b), for “the officer having the custody of the register” 
substitute “the appropriate registration officer”. 
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(5) In subsection (4), for “the officer having the custody of the register” 
substitute “the appropriate registration officer for the register”. 


(6) After subsection (4) insert — 


“(5) In this section the “appropriate registration officer’, in relation to a 
register, means — 


(a) inthe case of a register of live-births or of deaths in hard copy 
form, the superintendent registrar having custody of the 
register; 

(b) inthe case of a register of live-births or of deaths not in hard 
copy form— 


(i) the registrar of births and deaths for the sub-district 
for which the register is or has been kept, or 


(ii) the superintendent registrar for the district 
containing that sub-district; 


(c) inthe case of a register of still-births, the Registrar General.” 


6 In section 29A (alternative procedure for certain corrections), in subsection 
(4) — 
(a) for “the officer having custody of the register” substitute “the 
appropriate registration officer”; 
(b) at the end insert — 


““Appropriate registration officer” has the same meaning as 
in section 29 of this Act.” 


7 (1) Section 30 (searches of indexes kept by Registrar General) is amended as 
follows. 


(2) After subsection (1) insert — 


“(1ZA) The Registrar General shall cause the following indexes to be made 
and kept in the General Register Office — 


(a) anindex of the entries in the registers kept under section 1 of 
this Act; 


(b) an index of the entries in the registers kept under section 15 
of this Act.” 


(3) Insubsection (2), after “certified copies” insert “or in the said registers (as the 
case may be)”. 


(4) In subsection (3) — 
(a) for “to certified copies of entries in” substitute “in relation to”; 


(b) for the words from “any such” to the end substitute “any register of 
still-births”. 


8 In section 31 (searches of indexes kept by superintendent registrars), for 
subsection (1) substitute — 


“(1) The superintendent registrar for each district shall cause the 
following indexes to be made — 
(a) an index of the entries in the registers of live-births kept for 
the sub-districts within that district; 
(b) an index of the entries in the registers of deaths kept for the 
sub-districts within that district. 
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(1A) The indexes must be kept with the other records of the register office 
for the district.” 


9 For section 32 (searches in registers kept by registrars) substitute — 
“32 Obtaining copies of entries from registrars 


(1) Any person is entitled to obtain from a registrar for a sub-district, at 
any time when the registrar’s office is required to be open for the 
transaction of public business, a copy certified by the registrar of any 
entry in any register of births or register of deaths kept for that sub- 
district. 


(2) But subsection (1) does not apply in relation to any register of still- 
births except as the registrar may, with the consent of the Registrar 
General, in any particular case allow.” 


10 (1) Section 33 (short certificate of birth) is amended as follows. 


(2) In subsection (1), for “the Registrar General, a superintendent registrar or a 
registrar” substitute “the appropriate registration officer”. 


(3) After subsection (1) insert — 


‘“(1A) Insubsection (1) the “appropriate registration officer” means — 
(a) in the case of a live-birth, the Registrar General, a 
superintendent registrar or a registrar; 
(b) inthe case of a still-birth— 
(i) the Registrar General, or 
(ii) a registrar acting at the time of the registration of the 
still-birth or with the consent of the Registrar 
General.” 


“~~ 
ay 
— 


In subsection (2) — 

(a) for the words from “the records and registers” to “may be” substitute 
“the register in which the entry relating to the birth is made, or, in the 
case of the Registrar General, from the records in the Registrar 
General’s custody”, 

(b) for “any such records or registers” substitute “any register of births 
or in any such records”. 


11 In section 33A (short certificate of death), in subsection (2), for the words 
from “the records and registers” to “may be” substitute “the register in which 
the entry relating to the death is made, or, in the case of the Registrar 
General, from the records in the Registrar General’s custody”. 


12 In section 34 (entry in register as evidence of birth or death), in subsection 
(5), before “on which” insert “in or”. 


13 (1) Section 34A (searches and records of information: additional provision) is 
amended as follows. 


(2) In subsection (1) — 
(a) after paragraph (a) insert — 
“(aa) to carry out, on request, a search to find out whether 
any of the registers kept under this Act contains a 
particular entry;”; 


(b) in paragraph (b), after “copies” insert “or in such a register”. 
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(3) In subsection (5), at the end insert “or in a register kept under this Act”. 


14 In section 35 (offences relating to registers), in paragraph (b), after “deaths” 
insert “kept in hard copy form”. 


Ae) In section 40 (sending and providing notices, information or other 
documents), omit “, return”. 


16 In section 41 (interpretation), after subsection (3) insert — 


“(4) For the purposes of this Act a register is in hard copy form if it 
consists of a paper copy or similar form capable of being read with 
the naked eye.” 

PART 2 
AMENDMENTS OF OTHER LEGISLATION 


Registration Service Act 1953 


17 The Registration Service Act 1953 is amended as follows. 

18 In section 10 (district register offices), in subsection (1), omit the words from 
‘and shall provide” to the end. 

19 In section 12 (provision of register boxes), omit “registrar of births and 
deaths and”. 

20 In section 13 (local schemes of organisation), in subsection (2), after 
paragraph (b) insert — 


“(ba) determining the equipment or facilities to be provided at 
those offices and stations by the council for the non- 
metropolitan county or metropolitan district;”. 


Public Records Act 1958 


21 In Schedule 1 to the Public Records Act 1958 (definition of public records), 
in paragraph 2(2)(b), after “adoptions,” insert “or to any other records held 
by the Registrar General of information entered in any register of births or 
deaths kept under any such enactment,”. 


Social Security Administration Act 1992 


22 In section 124 of the Social Security Administration Act 1992 (provisions 
relating to age, death and marriage), after subsection (5) insert — 


“(6) The reference in subsection (1) above to a register in the custody of a 
registrar or superintendent registrar includes, in relation to registers 
of births or deaths kept under the Births and Deaths Registration Act 
1953, a reference to any such register kept for the registrar’s sub- 
district or (as the case may be) for a sub-district within the 
superintendent registrar’s district; and references in subsection (3) 
above to the custodian of the register are to be read accordingly.” 


Education Act 1996 


23 (1) Section 564 of the Education Act 1996 (certificates of birth and registrars’ 
returns) is amended as follows. 
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(2) In subsection (1), for “the registrar having the custody of the register of 
births and deaths” substitute “the relevant registrar for the register”. 


(3) In subsection (3) — 

(a) for “A registrar” substitute “The relevant registrar for a register”; 

(b) for “any register of births and deaths in his custody” substitute “the 
register”. 

(4) In subsection (4) — 

(a) in the definition of “the appropriate fee”, for “the registrar having 
custody of the register concerned” substitute “the relevant registrar 
for a register”; 

(b) for the definition of “register of births and deaths” substitute — 

““register” means a register of births or register of 
deaths kept under that Act,”; 

(c) at the end insert — 

“the “relevant registrar” for a register means — 

(a) in the case of a register in hard copy form 
(within the meaning of the Births and Deaths 
Registration Act 1953), the superintendent 
registrar having custody of the register; 

(b) inthe case of a register not in hard copy form 
(within the meaning of that Act) — 

(i) the registrar of births and deaths for 
the sub-district for which the register 
is or has been kept, or 

(ii) the superintendent registrar for the 
district containing that sub-district.” 


Adoption and Children Act 2002 


24 In section 78 of the Adoption and Children Act 2002 (Adopted Children 
Register: searches and copies), in subsection (4) — 
(a) in paragraph (a), omit “certified copies of”; 
(b) in paragraph (b), for “certified copies” (in the second place it occurs) 
substitute “registers”. 


Gender Recognition Act 2004 


25 The Gender Recognition Act 2004 is amended as follows. 
26 (1) Section 10 (registration) is amended as follows. 


n subsection (2), omit the “or” after paragra a) an ter paragra 
2) In subsection (2 it the “or” after paragraph d after paragraph (b 
insert “, or 
(c) anentry ina register kept under section 1 of the Births and 
Deaths Registration Act 1953,”. 


(3) For subsection (3) substitute — 


“(3) “The appropriate Registrar General” means — 

(a) in relation to a UK birth register entry of which a certified 
copy is kept by a Registrar General or which is in a register so 
kept, whichever Registrar General keeps that certified copy 
or that register; 
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(b) inrelation to a UK birth register entry in a register kept under 
section 1 of the Births and Deaths Registration Act 1953, the 
Registrar General for England and Wales. 


(3A) For the purposes of this section each of the following is a Registrar 
General — 
(a) the Registrar General for England and Wales; 
(b) the Registrar General for Scotland; 
(c) the Registrar General for Northern Ireland.” 


27 In Part 1 of Schedule 3 (registration: England and Wales), in paragraphs 5(3) 
and 8(2), for “or (b)” substitute “, (b) or (c)”. 


Presumption of Death Act 2013 


28 In Schedule 1 to the Presumption of Death Act 2013 (Register of Presumed 
Deaths), in paragraph 7 (interpretation) — 
(a) after “means” insert “— 
(a) nes 
(b) at the end insert “, or 


(b) the index kept in the General Register Office of 
such entries.” 


SCHEDULE 12 Section 99 
INFORMATION STANDARDS FOR HEALTH AND ADULT SOCIAL CARE IN ENGLAND 


i. Part 9 of the Health and Social Care Act 2012 (health and adult social care 
services: information) is amended as follows. 


2 Before section 250 insert — 


“Powers to publish standards ”. 


OO 
“— 
— 
4 


Section 250 (powers to publish information standards) is amended as 
follows. 


— 
N 
wa 


In subsection (2), at the end insert “and includes, among other things, a 
standard relating to information technology or IT services used, or intended 
to be used, in connection with the processing of information (see section 
250A)”. 


(3) In subsection (2B)(c) — 
(a) after “provision” insert “in, or in relation to, England”, and 
(b) delete “in England”. 


(4) In subsection (2B), at the end insert — 
“(e) arelevant IT provider.” 


(5) In subsection (3) — 
(a) after “provision” insert “in, or in relation to, England”, and 
(b) delete “in England”. 


(6) In subsection (7) — 
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(a) in the opening words, for “section” substitute “Chapter”, 
(b) after the definition of “health care” insert — 


COCGs 


information technology” includes — 

(a) computers, 

(b) other devices whose uses include the 
processing of information by electronic means 
(“IT devices”), 

(c) parts, accessories and other equipment made 
or adapted for use in connection with 
computers or IT devices, 

(d) software and code made or adapted for use in 
connection with computers or IT devices, and 

(e) networks and other infrastructure (whether 
physical or virtual) used in connection with 
other information technology; 

“IT service” means an information technology service, 
including any service (whether physical or virtual) 
which consists of, or is provided in connection with, 
the development, making available, operation or 
maintenance of information technology;”, 

(c) inthe definition of “processing”, omit “and (14)”, and 
(d) at the end insert — 

““relevant IT provider” means a person involved in 
marketing, supplying, providing or otherwise 
making available — 

(a) information technology, 

(b) an IT service, or 

(c) a service which consists of processing 

information using information technology, 
whether for payment or free of charge, but only so far 

as the technology or service is used, or intended to be 
used, in connection with the provision in, or in 
relation to, England of health care or of adult social 
care.” 


4 After section 250 insert — 
“250A Standards relating to information technology 


(1) An information standard relating to information technology or IT 
services may, among other things, make provision about — 


(a) the design, quality, capabilities or other characteristics of 
such technology or services; 


(b) contracts or other arrangements under which such 
technology or services are marketed, supplied, provided or 
otherwise made available. 


(2) An information standard may include technical provision about 
information technology or IT services, including provision about — 


(a) functionality; 
(b) connectivity; 

(c) interoperability; 
(d) portability; 
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(e) storage of, and access to, information; 
(f) security of information. 


(3) An information standard may make provision by reference to open 
standards or proprietary standards.” 


5 (1) Section 251 (information standards: procedure etc) is amended as follows. 
(2) In the heading omit “Information standards:”. 
(3) For subsection (3) substitute — 


“(3) The power under section 250(1) may be exercised by — 
(a) adopting an information standard prepared or published by 
another person, including as it has effect from time to time, or 
(b) making provision by reference to an international agreement 
or another document, including as it has effect from time to 


time.” 
6 After section 251 insert — 
“Compliance with standards”. 
i For the heading of section 251ZA (information standards: compliance) 


substitute “Monitoring compliance”. 
8 After that section insert — 
“251ZB Notice requesting compliance by relevant IT providers 


(1) If the Secretary of State has reasonable grounds to suspect that a 
relevant IT provider is not complying with an information standard 
which applies to the provider, the Secretary of State may give the 
provider a written notice which— 

(a) identifies the standard in question, 

(b) sets out the Secretary of State’s grounds for suspecting that 
the provider is not complying with the standard, 

(c) asks the provider to comply with the standard within a 
period specified in the notice, 

(d) asks the provider, within a period specified in the notice, to 
provide evidence to the Secretary of State’s satisfaction that 
the provider is complying with the standard, and 

(e) if the Secretary of State considers it appropriate, sets out the 
steps that the Secretary of State considers the provider must 
take, within a period specified in the notice, in order to 
comply with the standard. 


(2) <A period specified for the purposes of subsection (1)(c), (d) or (e) 
must be a period of at least 28 days beginning with the day on which 
the notice is given. 


(3) The Secretary of State may, by giving the relevant IT provider a 
further written notice, vary or revoke a notice given under 
subsection (1). 
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251ZC Public censure of relevant IT providers 


(1) If the Secretary of State has reasonable grounds to suspect that a 
relevant IT provider is not complying with an information standard 
which applies to the provider, the Secretary of State may publish a 
statement to that effect. 


(2) The statement may include the text of a notice given to the provider 
under section 251ZB. 


(3) Before publishing a statement under this section, the Secretary of 
State must give the relevant IT provider — 


(a) acopy of the terms of the proposed statement, and 


(b) anopportunity to make representations about the decision to 
publish a statement and the terms of the statement. 


(4) If, after considering any representations, the Secretary of State 
decides to publish the statement, the Secretary of State must inform 
the relevant IT provider before publishing it. 


251ZD Exercise of functions of Secretary of State by other persons 


(1) The Secretary of State may — 
(a) direct a public body to exercise some or all of the functions 
listed in subsection (3), and 
(b) give the public body directions about the exercise of those 
functions, including directions about the processing of 
information that the body obtains in exercising those 
functions. 


(2) The Secretary of State may make arrangements for a person 
prescribed by regulations under this subsection to exercise some or 
all of the functions listed in subsection (3). 


(3) Those functions are— 


(a) the Secretary of State’s functions under section 251ZA, so far 
as they relate to relevant IT providers, and 


(b) the Secretary of State’s functions under section 251ZB. 


(4) Arrangements under subsection (2) may — 
(a) provide for the Secretary of State to make payments to the 
person, and 
(b) make provision as to the circumstances in which such 
payments are to be repaid to the Secretary of State. 


(5) Section 304(9) applies in relation to the power to make arrangements 
under subsection (2) as it applies to a power of the Secretary of State 
to give directions under this Act. 


Accreditation 


251ZE Accreditation of information technology etc 


(1) Regulations may make provision for the establishment and 
operation of a scheme for the accreditation of information 
technology and IT services so far as used, or intended to be used, in 
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connection with the provision in, or in relation to, England of health 
care or of adult social care. 


(2) The regulations may provide for the scheme to be established and 
operated by a person specified in the regulations (“the operator’). 


(3) The regulations may, among other things, confer power on the 


operator — 
(a) to establish the procedure for accreditation under the 
scheme, 


(b) to set the criteria for accreditation under the scheme (“the 
accreditation criteria”), 


(c) to keep an accreditation under the scheme under review, and 


(d) to charge a reasonable fee in respect of an application for 
accreditation. 


(4) The regulations may, among other things, make provision requiring 
the operator — 


(a) to set some or all of the accreditation criteria by reference to 
information standards, 


(b) to publish details of the scheme, including the accreditation 
criteria, 


(c) to provide for the review of a decision to refuse an 
application for accreditation, and 


(d) to provide advice to applicants for accreditation with a view 
to ensuring that the accreditation criteria are met.” 


SCHEDULE 13 Section 100 
THE INFORMATION COMMISSION 
Schedule 12A to the 2018 Act 


1 In the 2018 Act, after Schedule 12 insert — 
“SCHEDULE 12A Section 114A 


THE INFORMATION COMMISSION 
Status 


1 (1) The Commission is not to be regarded — 
(a) as aservant or agent of the Crown, or 
(b) as enjoying any status, immunity or privilege of the 
Crown. 
(2) The Commission’s property is not to be regarded — 
(a) as property of the Crown, or 
(b) as property held on behalf of the Crown. 
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Number of members 


2 (1) 


(2) 


(4) 


Membership: 
3 (1) 


(2) 


(3) 


(4) 


(5) 


Membership: 
4 


The number of members of the Commission is to be determined by 
the Secretary of State. 


That number must not be— 
(a) less than 3, or 
(b) more than 14. 


The Secretary of State may by regulations substitute a different 
number for the number for the time being specified in sub- 


paragraph (2)(b). 
Regulations under this paragraph are subject to the negative 
resolution procedure. 


general 


The Commission is to consist of — 
(a) the non-executive members, and 
(b) the executive members. 


The non-executive members are — 
(a) achair appointed by Her Majesty by Letters Patent on the 
recommendation of the Secretary of State, and 
(b) such other members as the Secretary of State may appoint. 


The executive members are — 
(a) a chief executive appointed by the non-executive 
members, and 
(b) such other members, if any, as the non-executive members 
may appoint. 


The non-executive members must consult the Secretary of State 
before appointing the chief executive. 


The non-executive members must consult the chief executive 
about whether there should be any executive members within 
sub-paragraph (3)(b) and, if so, how many there should be. 


The Secretary of State may by direction set a maximum and a 
minimum number of executive members. 


The Commission may appoint one of the non-executive members 
as a deputy to the chair. 


non-executive members to outnumber executive members 


The Secretary of State must exercise the powers conferred on the 
Secretary of State by paragraphs 2 and 3 so as to secure that the 
number of non-executive members of the Commission is, so far as 
practicable, at all times greater than the number of executive 
members. 
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Membership: selection on merit etc 


) 


Membership: 


6 


(1) 


(2) 


(1) 


The Secretary of State may not recommend a person for 
appointment as the chair of the Commission unless the person has 
been selected on merit on the basis of fair and open competition. 


A person may not be appointed as a member of the Commission 
unless the person has been selected on merit on the basis of fair 
and open competition. 


conflicts of interests 


Before— 
(a) recommending a person for appointment as the chair of 
the Commission, or 
(b) appointing a person as a non-executive member of the 
Commission, 
the Secretary of State must be satisfied that the person does not 
have a conflict of interest. 


The Secretary of State must check from time to time that none of 
the non-executive members has a conflict of interest. 


The Secretary of State may require a non-executive member to 
provide whatever information the Secretary of State considers 
necessary for the purpose of checking that the member does not 
have a conflict of interest. 


A non-executive member who is required to provide information 
under sub-paragraph (3) must provide it within such period as 
may be specified by the Secretary of State. 


In this Schedule, “conflict of interest”, in relation to a person, 
means a financial or other interest which is likely to affect 
prejudicially the discharge by the person of the person’s functions 
as a member of the Commission. 


Tenure of the chair 


Z 


(1) 


The chair of the Commission holds and vacates office in 
accordance with the terms of the chair’s appointment, subject to 
the provisions of this paragraph. 


The chair must be appointed for a term of not more than 7 years. 


On the recommendation of the Secretary of State, Her Majesty may 
by Letters Patent extend the term of the chair’s appointment but 
not so the term as extended is more than 7 years. 


A person cannot be appointed as the chair more than once. 


The chair may be relieved from office by Her Majesty at the chair’s 
own request. 


The chair may be removed from office by Her Majesty on an 
Address from both Houses of Parliament. 
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(7) No motion is to be made in either House of Parliament for such an 
Address unless the Secretary of State has presented a report to that 
House stating that the Secretary of State is satisfied that — 


(a) the chair is guilty of serious misconduct, 

) the chair has a conflict of interest (see paragraph 6(5)), 
(c) the chair has failed to comply with paragraph 6(4), or 

) the chair is unable, unfit or unwilling to carry out the 
chair’s functions. 


eo 


Tenure of deputy chair 


8 (1) Adeputy chair of the Commission may resign that office by giving 
written notice to the Commission. 


(2) A deputy chair of the Commission ceases to hold that office on 
ceasing to be a non-executive member of the Commission. 


(3) A deputy chair of the Commission may be removed from that 
office by the Commission. 


Tenure of the other non-executive members 


9 (1) This paragraph applies to a non-executive member of the 
Commission appointed by the Secretary of State. 


(2) The member holds and vacates office in accordance with the terms 
of their appointment, subject to the provisions of this paragraph. 


(3) The member must be appointed for a term of not more than 7 
years. 


(4) The Secretary of State may extend the term of the member’s 
appointment but not so that the term as extended is more than 7 
years. 


(5) The Secretary of State may not appoint the member as a non- 
executive member of the Commission on a subsequent occasion. 


(6) The member may resign from office by giving written notice to the 
Secretary of State and the chair of the Commission. 


(7) The Secretary of State may remove the member from office by 
written notice if satisfied that — 


(a) the member is guilty of serious misconduct, 

) the member has a conflict of interest (see paragraph 6(5)), 
(c) the member has failed to comply with paragraph 6(4), or 

) the member is unable, unfit or unwilling to carry out the 
member’s functions. 


(8) At the time of removing the member from office the Secretary of 
State must make public the decision to do so. 


(9) The Secretary of State must — 


(a) give the member a statement of reasons for the removal, 
and 
(b) if asked to do so by the member, publish the statement. 
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Remuneration and pensions of non-executive members 


10 (1) The Commission may pay to the non-executive members of the 
Commission such remuneration and allowances as the Secretary 
of State may determine. 


(2) The Commission may pay, or make provision for paying, to or in 
respect of the non-executive members of the Commission, such 
sums by way of pensions, allowances or gratuities (including 
pensions, allowances or gratuities paid by way of compensation in 
respect of loss of office) as the Secretary of State may determine. 


(3) The Commission may make a payment to a person of such amount 
as the Secretary of State may determine where — 

(a) the person ceases to be a non-executive member of the 
Commission otherwise than on the expiry of the person’s 
term of office, and 

(b) it appears to the Secretary of State that there are special 
circumstances which make it appropriate for the person to 
receive compensation. 


Executive members: terms and conditions 


11 (1) The executive members of the Commission are to be employees of 
the Commission. 


(2) The executive members are to be employed by the Commission on 
such terms and conditions, including those as to remuneration, as 
the non-executive members of the Commission may determine. 


(3) The Commission must — 

(a) pay to or in respect of the executive members of the 
Commission such pensions, allowances or gratuities 
(including pensions, allowances or gratuities paid by way 
of compensation in respect of loss of office) as the non- 
executive members of the Commission may determine, 
and 

(b) provide and maintain for them such pension schemes 
(whether contributory or not) as the non-executive 
members of the Commission may determine. 


Other staff: appointment, terms and conditions 


12 (1) The Commission may — 
(a) appoint other employees, and 


(b) make such other arrangements for the staffing of the 
Commission as it considers appropriate. 


(2) In appointing an employee, the Commission must have regard to 
the principle of selection on merit on the basis of fair and open 
competition. 


(3) Employees appointed by the Commission are to be appointed on 
such terms and conditions, including those as to remuneration, as 
the Commission may determine. 
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(4) The Commission may — 

(a) pay to or in respect of those employees such pensions, 
allowances or gratuities (including pensions, allowances 
or gratuities paid by way of compensation in respect of 
loss of employment) as the Commission may determine, 
and 

(b) provide and maintain for them such pension schemes 
(whether contributory or not) as the Commission may 
determine. 


Committees 


13 


(1) The Commission may establish committees. 


(2) A committee of the Commission may consist of or include persons 
who are neither members nor employees of the Commission. 


(3) But a committee of the Commission to which functions are 
delegated under paragraph 14(1)(c) must include at least one 
person who is either a member or an employee of the Commission. 


(4) Where a person who is neither a member nor an employee of the 
Commission is a member of a committee of the Commission, the 
Commission may pay to that person such remuneration and 
expenses as it may determine. 


Delegation of functions 


14 


(1) The Commission may delegate any of its functions to— 
(a) amember of the Commission, 
(b) anemployee of the Commission, or 
(c) acommittee of the Commission. 


(2) A function is delegated under sub-paragraph (1) to the extent and 
on the terms that the Commission determines. 


(3) A committee of the Commission may delegate any function 
delegated to it to a member of the committee. 


(4) A function is delegated under sub-paragraph (3) to the extent and 
on the terms that the committee determines. 


(5) The power of a committee of the Commission to delegate a 
function, and to determine the extent and terms of the delegation, 
is subject to the Commission’s power to direct what a committee 
established by it may and may not do. 


(6) The delegation of a function by the Commission or a committee of 
the Commission under this paragraph does not prevent the 
Commission or the committee from exercising that function. 


Advice from committees 


15 


The Commission may require a committee of the Commission to 
give the Commission advice about matters relating to the 
discharge of the Commission’s functions. 
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Proceedings 


16 (1) The Commission may make arrangements for regulating — 
(a) its own procedure, and 
(b) the procedure of a committee of the Commission. 


(2) The non-executive members of the Commission may by majority 
make arrangements for regulating the procedure for the carrying 
out of the separate functions which are conferred on them under 
this Schedule. 


(3) Arrangements under this paragraph may include arrangements as 
to quorum and the making of decisions by a majority. 


(4) The Commission must publish arrangements which it makes 
under this paragraph. 


(5) This paragraph is subject to paragraph 18. 
Records of proceedings 


17 The Commission must make arrangements for the keeping of 
proper records of — 

(a) its proceedings, 

(b) the proceedings of a committee of the Commission, 

(c) the proceedings at a meeting of the non-executive 
members of the Commission, 

(d) anything done by a member or employee of the 
Commission under paragraph 14(1), and 

(e) anything done by a member of a committee of the 
Commission under paragraph 14(3). 


Disqualification for acting in relation to certain matters 


18 (1) This paragraph applies if — 

(a) a member of the Commission has a direct or indirect 
interest in a matter falling to be considered at a meeting of 
the Commission, 

(b) anon-executive member of the Commission has a direct or 
indirect interest in a matter falling to be considered at a 
meeting of the non-executive members, or 

(c) amember of a committee of the Commission has a direct 
or indirect interest in a matter falling to be considered at a 
meeting of the committee. 


(2) The member with the interest must declare it. 
(3) The declaration must be recorded in the minutes of the meeting. 


(4) The member with the interest may not take part in a discussion or 
decision at the meeting relating to the matter, unless — 

(a) in the case of a meeting of the Commission, the other 
members of the Commission who are present have 
resolved unanimously that the interest is to be 
disregarded, 
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(b) inthe case of a meeting of the non-executive members, the 
other non-executive members who are present have so 
resolved, or 

(c) inthe case of a meeting of a committee, the other members 
of the committee who are present have so resolved in the 
manner authorised by the Commission. 


(5) In giving authorisation for the purposes of sub-paragraph (4)(c), 
the Commission must secure that a resolution for those purposes 
does not allow a member to take part in a discussion or decision at 
a meeting of a committee to which functions are delegated under 
paragraph 14(1)(c) unless the number of other members of the 
committee in favour of the resolution — 

(a) is not less than two thirds of those who are both present 
and entitled to vote on the resolution, and 


(b) is not less than its quorum. 


(6) For the purposes of this paragraph, a notification given at or sent 

to a meeting of the Commission that a person— 

(a) isa member of a company or firm, and 

(b) is to be regarded as interested in any matter involving that 

company or firm, 

is to be regarded as compliance with sub-paragraph (2) in relation 
to any such matter for the purposes of that meeting and 
subsequent meetings of the Commission, of the non-executive 
members or of a committee. 


(7) For the purposes of this paragraph, a notification given at or sent 
to a meeting of the non-executive members of the Commission or 
of a committee of the Commission that — 

(a) aperson is a member of a company or firm, and 
(b) is to be regarded as interested in any matter involving that 
company or firm, 
is to be regarded as compliance with sub-paragraph (2) in relation 
to any such matter for the purposes of that meeting and 
subsequent meetings of the non-executive members or (as the case 
may be) of the committee. 


(8) A notification described in sub-paragraph (6) or (7) remains in 
force until it is withdrawn. 


(9) A person required to make a declaration for the purposes of this 
paragraph in relation to any meeting — 
(a) is not required to attend the meeting, but 
(b) is to be taken to have complied with the requirements of 
this paragraph if the person takes reasonable steps to 
secure that notice of the person’s interest is read out, and 
taken into consideration, at the meeting in question. 


Validity of proceedings 
19 (1) The validity of proceedings of the Commission, of the non- 


executive members of the Commission or of a committee of the 
Commission is not affected by — 
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(a) avacancy in the membership of the Commission or of the 
committee, 
(b) a defect in the appointment of a member of the 
Commission, 
(c) a failure of the Secretary of State to comply with the 
requirements of paragraph 4, or 
(d) a failure to comply with arrangements under paragraph 16 
or with a requirement under paragraph 18. 
(2) Nothing in sub-paragraph (1)(d) validates proceedings of a 
meeting which is inquorate unless it is inquorate by reason only of 
a matter within sub-paragraph (1)(b) or (c). 


Money 
20 The Secretary of State may make payments to the Commission. 
Fees etc and other sums 


21 (1) All fees, charges, penalties and other sums received by the 
Commission in carrying out its functions are to be paid to the 
Secretary of State. 


(2) Sub-paragraph (1) does not apply where the Secretary of State 
otherwise directs. 


(3) Any sums received by the Secretary of State under this paragraph 
are to be paid into the Consolidated fund. 


Accounts 


22 (1) The Commission must keep proper accounts and proper records 
in relation to them. 


(2) The Commission must prepare a statement of accounts in respect 
of each financial year in the form specified by the Secretary of 
State. 


(3) The Commission must send a copy of each statement of accounts 
to the Secretary of State and the Comptroller and Auditor General 
before the end of August next following the financial year to 
which the statement relates. 


(4) The Comptroller and Auditor General must — 


(a) examine, certify and report on the statement of accounts, 
and 


(b) senda copy of the certified statement and the report to the 
Secretary of State. 


(5) The Secretary of State must lay before Parliament each document 
received under sub-paragraph (4)(b). 


(6) In this paragraph “financial year” means — 
(a) the period beginning with the date on which the 
Commission is established and ending with the 31 March 
following that date, and 


(b) each successive period of 12 months. 
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Authentication of seal and presumption of authenticity of documents 


23 (1) The application of the Commission’s seal must be authenticated 
by the signature of — 
(a) the chair of the Commission, or 
(b) another person authorised for that purpose by the 
Commission. 


(2) A document purporting to be duly executed under the 
Commission’s seal or signed on its behalf — 
(a) is to be received in evidence, and 
(b) is to be taken to be executed or signed in that way, unless 
the contrary is shown. 


(3) This paragraph does not extend to Scotland. 
Interpretation 


24 In this Schedule — 

(a) references to pensions, allowances or gratuities include 
references to any similar benefits provided on death or 
retirement; and 

(b) references to the payment of pensions, allowances or 
gratuities to or in respect of a person includes a reference 
to the making of payments towards the provision of 
pensions, allowances or gratuities to be paid to or in 
respect of a person.” 


Transitional provision 


2 (1) This paragraph applies to the person who holds the office of Information 
Commissioner immediately before the day on which this Schedule comes 
into force. 


(2) The person is to be treated as having been appointed as the chair of the 
Information Commission for a term that expires at the time the person 
would cease to hold the office of Information Commissioner but for the 
abolition of that office by section 101. 


(3) The term for which the person is treated as having been appointed as the 
chair of the Information Commission may not be extended under paragraph 
7(3) of Schedule 12A to the 2018 Act so that the term as extended expires 
after the end of the period of 7 years beginning with the day the person 
began to hold the office of Information Commissioner. 
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BILL 


To make provision for the regulation of the processing of information relating to 
identified or identifiable living individuals; to make provision about services 
consisting of the use of information to ascertain and verify facts about individuals; to 
make provision about access to customer data and business data; to make provision 
about privacy and electronic communications; to make provision about services for 
the provision of electronic signatures, electronic seals and other trust services; to 
make provision about the disclosure of information to improve public service 
delivery; to make provision for the implementation of agreements on sharing 
information for law enforcement purposes; to make provision about the keeping and 
maintenance of registers of births and deaths; to make provision about information 
standards for health and social care; to establish the Information Commission; to 
make provision about oversight of biometric data; and for connected purposes. 


Presented by Secretary Nadine Dorries 
Supported by Secretary Priti Patel, 
Secretary Steve Barclay, 
Secretary Kwasi Kwarteng, 
Matt Warman, Jacob Rees-Mogg, 
Stephen McPartland, Tom Pursglove 
and Heather Wheeler. 


Ordered, by The House of Commons, 
to be Printed, 18th July 2022. 
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